Re: [Openvpn-devel] [PATCH] Configurable installation directories
On 24/09/2024 15:26, Petr Portnov wrote: Hi there! Continuing the packaging of the latest OpenVPN-linux for NixOS, I would like to propose the following addition to the build system. What it does is it allows you to customize the installation paths for DBus and systemd services and adds the option to disable the generation of `openvpn3_statedir / 'configs'` directory (which is not always desired, e.g. when the OS takes this responsibility). That's again, Petr! I'm going to pull this into the coming v24 release. I'll keep you posted on the progress here. Your changes makes sense, so I don't expect any issues here. Going to test it a bit first, though. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] build: reduce hardcode in `asio_path`
On 09/09/2024 21:43, Petr Portnov wrote: Hi there! Any updates on this proposal? пн, 2 сент. 2024 г. в 22:34, Petr Portnov <mailto:mrjarviscr...@gmail.com>>: Hi there! While working on packaging `openvpn3-linux` for NixOS I've discovered a problem with `asio_path` child path being too strict (since not all distros have `asio` as the parent of `include` directory). Thus I am suggesting a simple patch which allows better control over this path allowing easier integration with distros. This has been merged and pushed! commit 75abb7dc9366ba85fb1a144d88f02a1e8a62f538 Author: Petr Portnov Date: Mon Sep 2 22:25:33 2024 +0300 build: reduce hardcoded 'asio_path' Currently, 'asio_path` variable value is concatenated with '/asio/include' to specify the path to custom `asio` installation. The problem is that this is too strict as some distros (namely NixOS) may have the 'include' directory with a differently named parent. Thus this change minimizes the hardcoded part of the path to make it more flexible. Signed-off-by: Petr Portnov Thanks a lot! -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] build: reduce hardcode in `asio_path`
On 09/09/2024 21:43, Petr Portnov wrote: Hi there! Any updates on this proposal? пн, 2 сент. 2024 г. в 22:34, Petr Portnov <mailto:mrjarviscr...@gmail.com>>: Hi there! While working on packaging `openvpn3-linux` for NixOS I've discovered a problem with `asio_path` child path being too strict (since not all distros have `asio` as the parent of `include` directory). Thus I am suggesting a simple patch which allows better control over this path allowing easier integration with distros. Hi! Sorry for the long reply time. Just been a bit too hectic lately. I've seen your patch, and it makes total sense. It's in my pipe to get merged as soon as I have cleaned up a bunch of other changes as well. Again, sorry for the slow response. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] OpenVPN 3 Linux v23 released
se Linux 7 and Ubuntu 23.10 are EOL and is no longer supported. -- kind regards, David Sommerseth OpenVPN Inc Source tarballs --- * OpenVPN 3 Linux v23 <https://swupdate.openvpn.net/community/releases/openvpn3-linux-23.tar.xz> <https://swupdate.openvpn.net/community/releases/openvpn3-linux-23.tar.xz.asc> * GDBus++ v2 <https://swupdate.openvpn.net/community/releases/gdbuspp-2.tar.xz> <https://swupdate.openvpn.net/community/releases/gdbuspp-2.tar.xz.asc> SHA256 Checksums -- 3c5a4e27e0618f395c1688b50b62b887543ff203d4c99af7f7bfe1d61d0e753b openvpn3-linux-23.tar.xz cc801911df93072101e6218ac62c45e8f524cb42c0536e692d8da5fe8b1253d8 openvpn3-linux-23.tar.xz.asc 0a3eab5c7f1f5ba803bec0902bb008b8c7a7040fdaf0e0e94b4ac77ffebf0bfd gdbuspp-2.tar.xz 361fe7f8ced70d49a2899ad4e790d6e9e1832f419ef3d7875226d44d997b7397 gdbuspp-2.tar.xz.asc git references git repositories: - OpenVPN 3 Linux <https://codeberg.org/OpenVPN/openvpn3-linux> (PRIMARY) <https://gitlab.com/openvpn/openvpn3-linux> (code-only mirror) <https://github.com/OpenVPN/openvpn3-linux> (code-only mirror) git tag: v23 git commit: d8239ede97fc91919f35a59a14a116769defcc49 - GDBus++ <https://codeberg.org/OpenVPN/gdbuspp/> (PRIMARY) <https://gitlab.com/openvpn/gdbuspp/> (code-only mirror) <https://github.com/openvpn/gdbuspp/> (code-only mirror) git tag: v2 git commit: 94f29d20accb755a08a9890efe5242d89d5b51bc Changes from v22_dev to v23 --- David Sommerseth (24): configmgr: Load configuration profiles before starting the D-Bus service netcfg: Make NetCfgNotifSubscriptions use uint32_t as filter bit mask codestyle: Fix minor code style deviations build: Enable overriding OpenVPN 3 Core Library version string scripts: Modify the output of the --gui-version addons/devposture: Fix compilation error with older JsonCpp libraries addons/devposture: Make devposture-proxy test program more generic addons/devposture: Document the Enterprise Profile file format build: Install some additional documentation by default docs: Clarify a GDBus++ and mbed TLS build dependencies better build: Set PACKAGE_NAME to 'OpenVPN3/Linux' Some minor #include clean-ups configmgr: Cleaning up #include files configmgr: Use CoreLog for logging events from the Core library. client: Don't stop if devposture service is unavailable devposture/test: Improve argument parsing in devposture-proxy addon/devposture/proxy: Properly re-throw DevPosture::Proxy::Handler exceptions netcfg/resolved: Factor out resolved::Exception to a separate file tests/resolved: Extend systemd-resolved proxy test client with IPv6 support netcfg/resolved: Add new D-Bus IP Address parser class netcfg/resolved: Use GDBus++ glib2 helpers extracting data in SearchDomains::GetGVariant netcfg/resolved: Plug-in resolved::IPAddress into ResolverRecord netcfg/resolved: Refactor out resolved::ResolverRecord core: Update to OpenVPN 3 Core Library v3.10.1 Grzegorz Gutowski (1): python: Pass through --connect-retry and --connect-retry-max Lev Stipakov (5): netcfg: use proper C++ base type for NetCfgChangeType netcfg/proxy: Check non-response call for nullptr before freeing configmgr: remove unused class members addons/aws: Switch to GDBus++ addons/aws: adapt to core RandomAPI changes Razvan Cojocaru (10): core: Update to OpenVPN 3 Core Library releaseprep/3.10 addons/devposture: Add openvpn3-linux-devposture configmgr: Add the enterprise-profile override ovpn3cli/config: Add openvpn3 config-manage --enterprise-profile client: Plug in Device Posture support configmgr: Use a regular expression to determine version number configmgr: Accumulate proxy feature flags instead of overwriting netcfg: Check stub-resolv.conf before giving up on systemd-resolved common: give SingleCommand a virtual destructor addons/devposture: Add core_ver and extra_ver to client_info -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] OpenVPN 3 Linux v22_dev released
OpenVPN 3 Linux v22_dev (Limited Release) This is a limited release primarily targeting Fedora 39 and newer plus Ubuntu 24.04. Other Linux distributions shipping glib2 version 2.76 or newer will also benefit from this release. This release contains a massive re-factoring of the D-Bus integration layer with glib2. The glib2 2.76 and newer releases contains several internal changes which broke the D-Bus implementation layer in OpenVPN 3 Linux v21 and older releases [1]. To fix this, it was decided to split out the base D-Bus integration into a new standalone library which OpenVPN 3 Linux will depend on. This new project is called GDBus++. [1] <https://github.com/OpenVPN/openvpn3-linux/issues/171> The GDBus++ library makes extended use of multi-threading when processing D-Bus method calls and implements modern C++17 approaches when handling requests to registered D-Bus objects. It has also been a strong focus on getting rid of as much of various glib2 warnings which could occasionally appear in prior OpenVPN 3 Linux releases. There are most likely a still a lot more room for improvements to both the new GDBus++ and the upgraded OpenVPN 3 Linux code, which is why this release targets a more limited release scope. This release has only been through the full QA validation on Fedora 39, Fedora 40 and Ubuntu 24.04. That said, this new code can be made available for all the officially supported RPM distributions by enabling a "development snapshots" repository. But this repository will also not have the same QA guarantees as the official stable repositories. On a development note, this project has now migrated to use Meson [2] as the build system. The autoconf/automake build system is now completely removed. The Meson build system has turned out to be way simpler to use and configure than autotools ever was, especially from a developers point of view. [2] <https://mesonbuild.com/> There are unfortunately a few known issues which is targeted for the coming v23 release: - AWS VPC integration is not yet ready, so this add-on is currently not available in this v22_dev release. This is targeted for v23. - Shell completion may list duplicated options in some cases - openvpn3-admin journal --since has a time zone related issue and may not list all log events within the closest hours. Other changes worth mentioning with this release: * Improvement: Upgrade to OpenVPN 3 Core library v3.8.5 This upgrade contains several bug fixes related to the option parser, mostly issues reported by a wide range of users. In addition to incorrect behaviour with the stub compression when the --compress option was used. * Improvement: openvpn3-admin journal --since argument The --since argument can now use the keywords 'today' and 'yesterday'. * Bug fix: openvpn3-admin log-service would not change some settings On some distributions, the --dbus-details and other boolean flags was not properly changed when requested. This has been improved. Credits --- Finally, it is needed to give a HUGE THANK YOU to all the community testers which installed and tested rolling development snapshots during the development of this release. Without all this testing, we would not have the same confidence in this release as we have now. All your help and feedback has been really valuable and helpful during this the development phase. Supported Linux distributions - - Fedora: 39, 40, Rawhide - Ubuntu: 24.04, (amd64, arm64) - Red Hat Enterprise Linux 8, 9 (no QA, development snapshot only [3]) Installation and getting started instructions can be found here: <https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux> The v23 release will also include support for all distributions again, including Debian 12. Debian 11, Red Hat Enterprise Linux 7 and Ubuntu 23.10 will go EOL in just a few days or weeks and will no longer be supported. [3] Fedora Copr development snapshots: <https://copr.fedorainfracloud.org/coprs/dsommers/openvpn3-devsnapshots/> -- kind regards, David Sommerseth OpenVPN Inc Source tarballs --- * OpenVPN 3 Linux v22_dev <https://swupdate.openvpn.net/community/releases/openvpn3-linux-22_dev.tar.xz> <https://swupdate.openvpn.net/community/releases/openvpn3-linux-22_dev.tar.xz.asc> * GDBus++ v1 <https://swupdate.openvpn.net/community/releases/gdbuspp-1.tar.xz> <https://swupdate.openvpn.net/community/releases/gdbuspp-1.tar.xz.asc> SHA256 Checksums -- ad8f373814bfbefd12f9824d57badef4535f6c1fde68d2c73d7ee14863547cb6 openvpn3-linux-22_dev.tar.xz 32af8668130966959319ccd2769146090de5eab73a98612add6a5f9a99ff6921 openvpn3-linux-22_dev.tar.xz.asc e53e47f8529109e138d59ff38374818692b6fe26f2fee2d00642bba272e117a3 gdbuspp-1.tar.xz eff710210
Re: [Openvpn-devel] [PATCH release/2.6] Remove --tls-export-cert
On 22/11/2023 22:51, Gert Doering wrote: Hi, On Wed, Nov 22, 2023 at 03:31:10PM +0100, David Sommerseth wrote: From: David Sommerseth As OpenVPN 2.6+ is doing some adoptions to the license text, all prior contributors need to accept this new text. Unfortunately, Mathieu Giannecchini who implemented the --tls-export-cert feature did not respond at all. Without an explicit acceptance we need to remove this feature to avoid potential legal complications. If this is still a wanted feature, it will need to be re-implemented from scratch. Is this significantly different from the "master" patch that it needs an extra 2.6 patch? (So now I have 4 patches to deal with, not "1 that goes to master + release/2.6"...) The "second set" should just be offset changes between master and release/2.6. I did it that way so you wouldn't need to be worried about any merge conflicts. It is based on the latest heads of master and release/2.6. If you want to just cherry-pick the master patches for 2.6, that's all fine by me. Also if you want to squash them into a single commit as well. These patches are purely intended to ease the merging process, as in "no conflicts expected". And to indicate that this is both master + release/2.6 material. The main reason I overlooked the x509_write_pem() function was that Adriaan de Jong refactored out that functionality from the main feature function into a dedicated function back in the days with the SSL/TLS refactoring to support PolarSSL. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Remove superfluous x509_write_pem()
From: David Sommerseth After removing --tls-export-cert, this function was left in the code base with no other users. This was an oversight in the previous change. Removing it to avoid leaving dead code behind. Signed-off-by: David Sommerseth --- src/openvpn/ssl_verify_backend.h | 11 --- src/openvpn/ssl_verify_mbedtls.c | 7 --- src/openvpn/ssl_verify_openssl.c | 11 --- 3 files changed, 29 deletions(-) diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h index 3b798811..d402b1f2 100644 --- a/src/openvpn/ssl_verify_backend.h +++ b/src/openvpn/ssl_verify_backend.h @@ -249,17 +249,6 @@ result_t x509_verify_cert_ku(openvpn_x509_cert_t *x509, const unsigned *const ex */ result_t x509_verify_cert_eku(openvpn_x509_cert_t *x509, const char *const expected_oid); -/* - * Store the given certificate in pem format in a temporary file in tmp_dir - * - * @param cert Certificate to store - * @param tmp_dir Temporary directory to store the directory - * @param gcgc_arena to store temporary objects in - * - * - */ -result_t x509_write_pem(FILE *peercert_file, openvpn_x509_cert_t *peercert); - /** * Return true iff a CRL is configured, but is not loaded. This can be caused * by e.g. a CRL parsing error, a missing CRL file or CRL file permission diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index a1ddf8d0..4596843c 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -547,13 +547,6 @@ x509_verify_cert_eku(mbedtls_x509_crt *cert, const char *const expected_oid) return fFound; } -result_t -x509_write_pem(FILE *peercert_file, mbedtls_x509_crt *peercert) -{ -msg(M_WARN, "mbed TLS does not support writing peer certificate in PEM format"); -return FAILURE; -} - bool tls_verify_crl_missing(const struct tls_options *opt) { diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 3194c232..5afffc1f 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -762,17 +762,6 @@ x509_verify_cert_eku(X509 *x509, const char *const expected_oid) return fFound; } -result_t -x509_write_pem(FILE *peercert_file, X509 *peercert) -{ -if (PEM_write_X509(peercert_file, peercert) < 0) -{ -msg(M_NONFATAL, "Failed to write peer certificate in PEM format"); -return FAILURE; -} -return SUCCESS; -} - bool tls_verify_crl_missing(const struct tls_options *opt) { -- 2.39.3 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Remove superfluous x509_write_pem()
From: David Sommerseth After removing --tls-export-cert, this function was left in the code base with no other users. This was an oversight in the previous change. Removing it to avoid leaving dead code behind. Signed-off-by: David Sommerseth --- src/openvpn/ssl_verify_backend.h | 11 --- src/openvpn/ssl_verify_mbedtls.c | 7 --- src/openvpn/ssl_verify_openssl.c | 11 --- 3 files changed, 29 deletions(-) diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h index 3b798811..d402b1f2 100644 --- a/src/openvpn/ssl_verify_backend.h +++ b/src/openvpn/ssl_verify_backend.h @@ -249,17 +249,6 @@ result_t x509_verify_cert_ku(openvpn_x509_cert_t *x509, const unsigned *const ex */ result_t x509_verify_cert_eku(openvpn_x509_cert_t *x509, const char *const expected_oid); -/* - * Store the given certificate in pem format in a temporary file in tmp_dir - * - * @param cert Certificate to store - * @param tmp_dir Temporary directory to store the directory - * @param gcgc_arena to store temporary objects in - * - * - */ -result_t x509_write_pem(FILE *peercert_file, openvpn_x509_cert_t *peercert); - /** * Return true iff a CRL is configured, but is not loaded. This can be caused * by e.g. a CRL parsing error, a missing CRL file or CRL file permission diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index ce213246..56121394 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -536,13 +536,6 @@ x509_verify_cert_eku(mbedtls_x509_crt *cert, const char *const expected_oid) return fFound; } -result_t -x509_write_pem(FILE *peercert_file, mbedtls_x509_crt *peercert) -{ -msg(M_WARN, "mbed TLS does not support writing peer certificate in PEM format"); -return FAILURE; -} - bool tls_verify_crl_missing(const struct tls_options *opt) { diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 3194c232..5afffc1f 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -762,17 +762,6 @@ x509_verify_cert_eku(X509 *x509, const char *const expected_oid) return fFound; } -result_t -x509_write_pem(FILE *peercert_file, X509 *peercert) -{ -if (PEM_write_X509(peercert_file, peercert) < 0) -{ -msg(M_NONFATAL, "Failed to write peer certificate in PEM format"); -return FAILURE; -} -return SUCCESS; -} - bool tls_verify_crl_missing(const struct tls_options *opt) { -- 2.39.3 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH release/2.6] Remove --tls-export-cert
From: David Sommerseth As OpenVPN 2.6+ is doing some adoptions to the license text, all prior contributors need to accept this new text. Unfortunately, Mathieu Giannecchini who implemented the --tls-export-cert feature did not respond at all. Without an explicit acceptance we need to remove this feature to avoid potential legal complications. If this is still a wanted feature, it will need to be re-implemented from scratch. Signed-off-by: David Sommerseth --- README.mbedtls | 1 - doc/man-sections/script-options.rst | 4 -- doc/man-sections/tls-options.rst| 7 src/openvpn/init.c | 1 - src/openvpn/options.c | 14 --- src/openvpn/options.h | 1 - src/openvpn/ssl_common.h| 1 - src/openvpn/ssl_verify.c| 60 + 8 files changed, 2 insertions(+), 87 deletions(-) diff --git a/README.mbedtls b/README.mbedtls index d3466fa9..24a9c224 100644 --- a/README.mbedtls +++ b/README.mbedtls @@ -40,5 +40,4 @@ in the mbed TLS version of OpenVPN: Plugin/Script features: * X.509 subject line has a different format than the OpenSSL subject line - * X.509 certificate export does not work * X.509 certificate tracking diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index 8c0be0cd..38dcfa2b 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -813,10 +813,6 @@ instances. translations will be recorded rather than their names as denoted on the command line or configuration file. -:code:`peer_cert` -Temporary file name containing the client certificate upon connection. -Useful in conjunction with ``--tls-verify``. - :code:`script_context` Set to "init" or "restart" prior to up/down script execution. For more information, see documentation for ``--up``. diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index d51aff77..45009f7c 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -539,13 +539,6 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa --tls-exit Exit on TLS negotiation failure. ---tls-export-cert directory - Store the certificates the clients use upon connection to this - directory. This will be done before ``--tls-verify`` is called. The - certificates will use a temporary name and will be deleted when the - tls-verify script returns. The file name used for the certificate is - available via the ``peer_cert`` environment variable. - --tls-server Enable TLS and assume server role during TLS handshake. Note that OpenVPN is designed as a peer-to-peer application. The designation of diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 079c4f5e..f4ab1635 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -,7 +,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) } to.verify_command = options->tls_verify; -to.verify_export_cert = options->tls_export_cert; to.verify_x509_type = (options->verify_x509_type & 0xff); to.verify_x509_name = options->verify_x509_name; to.crl_file = options->crl_file; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 7ca77a8e..dc18b332 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -647,9 +647,6 @@ static const char usage_message[] = " tests of certification. cmd should return 0 to allow\n" " TLS handshake to proceed, or 1 to fail. (cmd is\n" " executed as 'cmd certificate_depth subject')\n" -"--tls-export-cert [directory] : Get peer cert in PEM format and store it \n" -" in an openvpn temporary file in [directory]. Peer cert is \n" -" stored before tls-verify script execution and deleted after.\n" "--verify-x509-name name: Accept connections only from a host with X509 subject\n" " DN name. The remote host must also pass all other tests\n" " of verification.\n" @@ -1998,7 +1995,6 @@ show_settings(const struct options *o) SHOW_STR(cipher_list_tls13); SHOW_STR(tls_cert_profile); SHOW_STR(tls_verify); -SHOW_STR(tls_export_cert); SHOW_INT(verify_x509_type); SHOW_STR(verify_x509_name); SHOW_STR_INLINE(crl_file); @@ -3061,7 +3057,6 @@ options_postprocess_verify_ce(const struct options *options, MUST_BE_UNDEF(cipher_list_tls13); MUST_BE_UNDEF(tls_cert_profile); MUST_BE_UNDEF(tls_verify); -MUST_BE_UNDEF(tls_export_cert); MUST_BE_UNDEF(verify_x509_name); MUST_BE_UNDEF(tls_timeout); MUST_BE_UNDEF(renegotiate_bytes); @@ -4117,8 +4112,6 @@ options_postpro
[Openvpn-devel] [PATCH master] Remove --tls-export-cert
From: David Sommerseth As OpenVPN 2.6+ is doing some adoptions to the license text, all prior contributors need to accept this new text. Unfortunately, Mathieu Giannecchini who implemented the --tls-export-cert feature did not respond at all. Without an explicit acceptance we need to remove this feature to avoid potential legal complications. If this is still a wanted feature, it will need to be re-implemented from scratch. Signed-off-by: David Sommerseth --- README.mbedtls | 1 - doc/man-sections/script-options.rst | 4 -- doc/man-sections/tls-options.rst| 7 src/openvpn/init.c | 1 - src/openvpn/options.c | 14 --- src/openvpn/options.h | 1 - src/openvpn/ssl_common.h| 1 - src/openvpn/ssl_verify.c| 60 + 8 files changed, 2 insertions(+), 87 deletions(-) diff --git a/README.mbedtls b/README.mbedtls index ed9d3691..124eaa2b 100644 --- a/README.mbedtls +++ b/README.mbedtls @@ -38,7 +38,6 @@ in the mbed TLS version of OpenVPN: Plugin/Script features: * X.509 subject line has a different format than the OpenSSL subject line - * X.509 certificate export does not work * X.509 certificate tracking * diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index 8c0be0cd..38dcfa2b 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -813,10 +813,6 @@ instances. translations will be recorded rather than their names as denoted on the command line or configuration file. -:code:`peer_cert` -Temporary file name containing the client certificate upon connection. -Useful in conjunction with ``--tls-verify``. - :code:`script_context` Set to "init" or "restart" prior to up/down script execution. For more information, see documentation for ``--up``. diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index 908a42a1..56da886f 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -555,13 +555,6 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa --tls-exit Exit on TLS negotiation failure. ---tls-export-cert directory - Store the certificates the clients use upon connection to this - directory. This will be done before ``--tls-verify`` is called. The - certificates will use a temporary name and will be deleted when the - tls-verify script returns. The file name used for the certificate is - available via the ``peer_cert`` environment variable. - --tls-server Enable TLS and assume server role during TLS handshake. Note that OpenVPN is designed as a peer-to-peer application. The designation of diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 8c707a46..659c79e3 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3323,7 +3323,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) } to.verify_command = options->tls_verify; -to.verify_export_cert = options->tls_export_cert; to.verify_x509_type = (options->verify_x509_type & 0xff); to.verify_x509_name = options->verify_x509_name; to.crl_file = options->crl_file; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2594b665..1521872d 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -638,9 +638,6 @@ static const char usage_message[] = " tests of certification. cmd should return 0 to allow\n" " TLS handshake to proceed, or 1 to fail. (cmd is\n" " executed as 'cmd certificate_depth subject')\n" -"--tls-export-cert [directory] : Get peer cert in PEM format and store it \n" -" in an openvpn temporary file in [directory]. Peer cert is \n" -" stored before tls-verify script execution and deleted after.\n" "--verify-x509-name name: Accept connections only from a host with X509 subject\n" " DN name. The remote host must also pass all other tests\n" " of verification.\n" @@ -1989,7 +1986,6 @@ show_settings(const struct options *o) SHOW_STR(cipher_list_tls13); SHOW_STR(tls_cert_profile); SHOW_STR(tls_verify); -SHOW_STR(tls_export_cert); SHOW_INT(verify_x509_type); SHOW_STR(verify_x509_name); SHOW_STR_INLINE(crl_file); @@ -3052,7 +3048,6 @@ options_postprocess_verify_ce(const struct options *options, MUST_BE_UNDEF(cipher_list_tls13); MUST_BE_UNDEF(tls_cert_profile); MUST_BE_UNDEF(tls_verify); -MUST_BE_UNDEF(tls_export_cert); MUST_BE_UNDEF(verify_x509_name); MUST_BE_
[Openvpn-devel] OpenVPN 3 Linux v21 released
more easily in the logs. * Improvements: OpenVPN 3 Configuration Manager feature support tracking When upgrading OpenVPN 3 Linux versions, there might be situations where an older OpenVPN 3 Configuration Manager will be running but the openvpn3 command line tool is newer. When the command line tool attempts to access features in the Configuration Manager backed not available, it would result in an error and a poorer user experience. The code providing the glue interface for the calling side (openvpn3) has been extended with a feature/version mapping, so it can filter out operations not supported if the backend version is lacking certain functions. In most cases, the openvpn3 config commands will then continue to work as before, just not providing access to features available in newer back-ends. A similar functionality is planned for the Session Manager and is being considered for the OpenVPN 3 Python module. * Improvements: OpenVPN 3 Python module Configuration profiles from OpenVPN Access Server and some times OpenVPN Cloud Connexa will often contain "meta options", typically prefixed with "# OVPN_". The Python parser would not accept several of the deprecated meta options. The parser has now been extended to filter out those options not needed, used or supported by the OpenVPN 3 Core Library. * Improvements: Adjustments needed to satisfy Debian packaging Several minor issues has been done to satisfy the Debian package linter utility. There are still some issues left, some will not be possible to improve before Debian ships with a newer dbus-daemon - as we need functionality present in a newer release. The dbus-broker is also lacking a similar functionality currently. See the _credits_ section below for a bit more details on this. * Feature: Label/tag support for imported OpenVPN configuration profiles The OpenVPN 3 Configuration Manager and the openvpn3 config-manage and configs-list commands has been extended to with the ability to add one or more text labels to configuration profiles. At import time, the openvpn3 config-import command can also assign tags immediately. Users with many imported configuration profiles can more easily filter which configurations shown with the openvpn3 configs-list command. Other tools (openvpn3-as, openvpn-connector-setup) will also make use of this feature as they are being updated, to more easily understand where a configuration profile arrived from. * Feature: JSON formatted output with openvpn3 configs-list and config-dump The list of configurations can now be retrieved as a JSON formatted list via the openvpn3 configs-lists. The openvpn3 config-dump will normally dump the normal configuration using the standard OpenVPN configuration file format. The JSON format will contain all the additional meta options, overrides and access control lists not expressed in the standard file format. This format is the same format used internally for persistent configuration profiles. * Feature: Filtering options when retrieving available configurations The openvpn3 configs-list command has been extended with several filter arguments to only extract filters with a specific tag or owner as well as a simple prefix filter on the configuration name. The OpenVPN 3 Configuration Manager also exposes two new D-Bus methods to retrieve available configuration profiles based on a tag or owner. * Feature: Simple and verbose list formats in openvpn3 configs-list The default listing in openvpn3 configs-list has been simplified and will only list one configuration profile per line now. The more comprehensive list can be retrieved using the --verbose argument. The verbose list will also include configuration tags. Supported Linux distributions - - Debian 10, 11, 12 (amd64, arm64) - Red Hat Enterprise Linux 7 (x86_64) - Red Hat Enterprise Linux 8 and 9 (x86_64, aarch64) - Ubuntu 20.04 and 22.04, (amd64, arm64) The arm64 support on selected Debian and Ubuntu releases are considered tech-preview. We would like to get feedback from arm64 users how OpenVPN 3 Linux works here, then we can remove the tech-preview label for arm64. Installation and getting started instructions can be found here: <https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux> Credits --- This release has also received help from other contributors. Thank you to all of you! Antonio Quartulli Frank Lichtenheld Jeremy Fleischman mattjbyrd In addition, a "thanks in advance" goes to the work Marc Leeman is currently doing to provide a native Debian repository package for OpenVPN 3 Linux. Thanks a lot, Marc! That work can be followed here: <https://github.com/OpenVPN/openvpn3-linux/issues/193> --
Re: [Openvpn-devel] [PATCH v2] Fix StatusChangeCallback so it works without a LogCallback
On 06/09/2023 19:17, Jeremy Fleischman wrote: `StatusChangeCallback` requires that LogForward be enabled, which previously only happened in `LogCallback`. Now both of them do it, which requires a bit of bookkeeping. This fixes https://github.com/OpenVPN/openvpn3-linux/issues/197 Signed-off-by: Jeremy Fleischman --- src/python/openvpn3/SessionManager.py | 69 ++- 1 file changed, 58 insertions(+), 11 deletions(-) Thanks a lot for your patience and persistence through this review. Your patch has been put into the queue for the coming v21 release. I've not yet pushed out that branch, as I'm waiting for our QA team to complete the testing of an updated OpenVPN 3 Core library release first; which is required to be able to build OpenVPN 3 Linux from the public repos. But consider your patch applied. I've only done minor edits to some comments and commit messages, but the code itself is unchanged. I'll follow-up with an update once this commit is public. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix StatusChangeCallback so it works without a LogCallback
On 05/09/2023 07:03, Jeremy Fleischman wrote: I have a feeling we're missing a check here. Got it! You're right, I've added that in the v2 version of this patch (see below). Could you send this via git-send-email, I think this is getting ready to be pulled in now. $ git send-email -v2 \ --in-reply-to 20230709231929.195048-1-jeremyfleisch...@gmail.com Thx! -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix StatusChangeCallback so it works without a LogCallback
On 04/09/2023 23:27, Jeremy Fleischman wrote: elif (cbfnc is not None and self.__log_callback is not None): # In this case, the program must first disable the # current LogCallback() before setting a new one. raise RuntimeError('LogCallback() is already enabled') This should enforce only one callback function being enabled this way, and if the callback need to be changed - it's enough to first do disable it (LogCallback(None)) before setting the new one. And if more callbacks functions is wanted/needed, the additional ones can be called via the callback function registered with the LogCallback(). No need to make this code more complicated. That makes sense! I *think* things get a little cleaner if we move this check to the top of the relevant functions (StatusChangeCallback and LogCallback). Basically, by first eliminating the possibility that we're changing an existing registered dbus callback, then we don't actually need to be as careful later on. For example, here's an updated version of LogCallback: def LogCallback(self, cbfnc): if cbfnc is not None and self.__log_callback is not None: # In this case, the program must first disable the # current LogCallback() before setting a new one. raise RuntimeError('LogCallback() is already enabled') if cbfnc is not None: self.__log_callback = cbfnc self.__dbuscon.add_signal_receiver(cbfnc, signal_name='Log', dbus_interface='net.openvpn.v3.backends', bus_name='net.openvpn.v3.log', path=self.__session_path) else: # Only remove the callback if there actually *is* a callback # currently. if self.__log_callback is not None: self.__dbuscon.remove_signal_receiver(self.__log_callback, 'Log') self.__log_callback = None self.__set_log_forward() Does this seem safe? I have a feeling we're missing a check here. The first check (with the raise RuntimeError), cbfnc and __log_callback are both set. Next check will enable the signal receiver if cbfnc is set. The previous check enforces __log_callback to not be set in this case; this is probably fine - but should have a comment of this condition. The else: clause I'm less convinced about. If cbfnc is None, __log_callback can also be None, which would trigger a remove_signal_receiver() call. We should avoid that. I'm not familiar with path email etiquette/best practices. Let me know if/when I should send a fully updated patch. So far, we've discussed possible solutions - so it has been fine doing it like this now. But I think with this last round, we can go for a v2 patch. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix StatusChangeCallback so it works without a LogCallback
[re-sent to ML] On 04/09/2023 19:51, Jeremy Fleischman wrote: diff --git a/src/python/openvpn3/SessionManager.py b/src/python/openvpn3/SessionManager.py index 3632790..1a567be 100644 --- a/src/python/openvpn3/SessionManager.py +++ b/src/python/openvpn3/SessionManager.py @@ -114,6 +114,7 @@ def __init__(self, dbuscon, objpath): self.__log_callback = None self.__status_callback = None self.__deleted = False +self.__log_forward_enabled = False def __del__(self): @@ -291,16 +292,11 @@ def LogCallback(self, cbfnc): dbus_interface='net.openvpn.v3.backends', bus_name='net.openvpn.v3.log', path=self.__session_path) -self.__session_intf.LogForward(True) else: -try: -self.__session_intf.LogForward(False) -except dbus.exceptions.DBusException: -# If this fails, the session is typically already removed -pass self.__dbuscon.remove_signal_receiver(self.__log_callback, 'Log') self.__log_callback = None Oops, this code unconditionally removes the callback, even if there isn't currently a callback. The code below in StatusChangeCallback first checks if there is currently a callback registered before removing it. If `self.__dbuscon.remove_signal_receiver` is resilient to getting passed None values for callbacks, then I suppose would could skip the check and just unconditionally remove the callback. Let me know what's best. If you look at my proposal; in the LogCallback() method, I have this check: if cbfnc is not None and self.__log_callback is None: while you only do: if cbfnc is not None: I believe you need to check both (more below on that). And there is a similar logic check when disabling the callback: elif cbfnc is None and self.__log_callback is not None: I believe this is the trap you fell into. Your new patch just do an "else:" The additional final check of setting a new callback without disabling the previous one can avoid some additional trouble. IIRC, the Python D-Bus API will actually call multiple callbacks if add_signal_receiver() is called more times with different callback methods. To support this, the LogCallback() and StatusChangeCallback() methods would need to track each callback function independently. I did not consider this a needed feature just yet; hence the additional final check: elif (cbfnc is not None and self.__log_callback is not None): # In this case, the program must first disable the # current LogCallback() before setting a new one. raise RuntimeError('LogCallback() is already enabled') This should enforce only one callback function being enabled this way, and if the callback need to be changed - it's enough to first do disable it (LogCallback(None)) before setting the new one. And if more callbacks functions is wanted/needed, the additional ones can be called via the callback function registered with the LogCallback(). No need to make this code more complicated. Otherwise, I like what you did to __set_log_forward(). That makes sense! -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix StatusChangeCallback so it works without a LogCallback
Hi Jeremy, First of all; sorry it's taken so long time to get back to you. GH issue #171 has unfortunately taken most of my time, so this patch went on the side burner. I've looked at your patch, and I wonder if it can be done a bit simpler. I'm open to hear your views; I might have overlooked some details. On 10/07/2023 01:19, Jeremy Fleischman wrote: [...snip...] @@ -285,22 +286,24 @@ def GetFormattedStatistics(self, prefix='Connection statistics:\n', format_str=' # def LogCallback(self, cbfnc): if cbfnc is not None: +# Remove the existing callback if there is one. +if self.__log_callback is not None: +self.LogCallback(None) + self.__log_callback = cbfnc self.__dbuscon.add_signal_receiver(cbfnc, signal_name='Log', dbus_interface='net.openvpn.v3.backends', bus_name='net.openvpn.v3.log', path=self.__session_path) -self.__session_intf.LogForward(True) +self.__add_LogForward_receiver() I'm wondering if this could be made cleared. The recursion is kinda clever, but feels like it hides the purpose. Wouldn't this code below work just as well (consider this more a concept code than proper Python code)? Here there is no recursion and no reference counting which could go wrong. class Session(object): [...] self.__log_forward_enabled = False def LogCallback(self, cbfnc): if cbfnc is not None and self.__log_callback is None: # Log Callback function is being enabled; not # set before self.__log_callback = cbfnc self.__dbuscon.add_signal_receiver(cbfnc, ...) self.__set_log_forward(True) elif cbfnc is None and self.__log_callback is not None: # Log Callback function is being disabled; can only # happen because it was set self.__dbuscon.remove_signal_receiver(self.__log_callback, ...) self.__log_callback = None try: self.__set_log_forward(False) except dbus.exception.DBusException: pass elif (cbfnc is not None and self.__log_callback is not None): # In this case, the program must first disable the # current LogCallback() before setting a new one. raise RuntimeErrpr('LogCallback() is already enabled') # No need to complain if unsetting an unset log callback # function; this will not have any behavioral impact at all. def __set_log_forward(self, enable): # This method can only be called *after* callback # function has been set in this object if not self.__log_forward_enabled and enable: # If log forwarding is disabled it can be enabled self.__log_forward_enabled = True self.__session_intf.LogForward(True) elif self.__log_forward_enabled and not enable: # Log forwarding can only be disabled if # both Log and StatusChange callbacks are unset if (self.__log_callback is None) and (self.__status_callback is None): self.__log_forward_enabled = False self.__session_intf.LogForward(False) The StatusChangeCallback() would need a similar implementation as LogCallback() too. In regards to multi-threading; I would not expect this code to be used in a multi-threaded setup where different callbacks would be enabled/disabled on the fly in parallel. But it might be good to add this as a comment in general, that these methods are not considered thread-safe. However, since the code snippets above does not use reference counting, it should be a bit more robust as it bases the decision on the value of the callback function pointers. Thoughts? -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] ntlm: Clarify details on NTLM phase 3 decoding
On 02/08/2023 13:31, David Sommerseth wrote: From: David Sommerseth The code was very clear if we accept that the base64 decode of the There is a "not" missing in the line above: "The code was not very clear ..." I'm fine with fixing this at commit time. -- kind regards, David Sommerseth OpenVPN Inc NTLM challenge was truncated or not. Move the related code lines closer to where it first used and comment what we are not concerned about any truncation. If the decoded result is truncated, the NTLM server side will reject our new response to the challenge as it will be incorrect. The buffer size fixed and known to be in a cleared state before the decode starts. Resolves: TOB-OVPN-14 Signed-off-by: David Sommerseth --- src/openvpn/ntlm.c | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] ntlm: Clarify details on NTLM phase 3 decoding
From: David Sommerseth The code was very clear if we accept that the base64 decode of the NTLM challenge was truncated or not. Move the related code lines closer to where it first used and comment what we are not concerned about any truncation. If the decoded result is truncated, the NTLM server side will reject our new response to the challenge as it will be incorrect. The buffer size fixed and known to be in a cleared state before the decode starts. Resolves: TOB-OVPN-14 Signed-off-by: David Sommerseth --- src/openvpn/ntlm.c | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c index 0cb0a32f..2e772141 100644 --- a/src/openvpn/ntlm.c +++ b/src/openvpn/ntlm.c @@ -207,7 +207,6 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, */ char pwbuf[sizeof(p->up.password) * 2]; /* for unicode password */ -uint8_t buf2[128]; /* decoded reply from proxy */ uint8_t phase3[464]; uint8_t md4_hash[MD4_DIGEST_LENGTH + 5]; @@ -230,8 +229,6 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, bool ntlmv2_enabled = (p->auth_method == HTTP_AUTH_NTLM2); -CLEAR(buf2); - ASSERT(strlen(p->up.username) > 0); ASSERT(strlen(p->up.password) > 0); @@ -264,6 +261,12 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, /* pad to 21 bytes */ memset(md4_hash + MD4_DIGEST_LENGTH, 0, 5); +/* If the decoded challenge is shorter than required by the protocol, + * the missing bytes will be NULL, as buf2 is known to be zeroed + * when this decode happens. + */ +uint8_t buf2[128]; /* decoded reply from proxy */ +CLEAR(buf2); ret_val = openvpn_base64_decode(phase_2, buf2, -1); if (ret_val < 0) { -- 2.39.3 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH OpenVPN3] Add 'pull' to ignored options
On 27/07/2023 14:21, Merten Fermont wrote: Hi Arne, I changed my patch to check the client and client+pull options. Giving an error when neither options are declared. This however may break current implementations that depend on 'client' not being a required option? Greetings, Merten Subject: [PATCH] Check for client options Hi, Thanks for your patch. Changes looks reasonable to me as well, and I wanted to pull it in. But it turns out that the patch has been mangled somehow. Even good old 'patch' refuses to apply anything. This is not an unknown issue with gmail.com; which is why we generally recommend to use 'git send-mail' [1]. In this specific case, resending the patch as an attachment can also work. [1] <https://git-scm.com/docs/git-send-email> -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Automatically restart Linux systemd OpenVPN client service on failure
On 14/05/2023 14:41, Gert Doering wrote: Hi, On Sun, May 14, 2023 at 02:38:06PM +0200, Arne Schwabe wrote: Yes the option we ignore to check if we have to reopen the tun device is quite short. We should probably turn this into a positive list instead of assuming that all options need to trigger to a tun reopen/close. True, but even so - shouldn't the systemd unit file just restart the openvpn client anyway? (I see myself having to restart the OpenSolaris Community VPN client ever so often...) We had this discussion back in the days when we added the automatic restart on servers. In the unit file for openvpn-server@.service we added: RestartSec=5s Restart=on-failure We ended up only enabling this on the server config by default, as it was some good points (which I don't recall right now) about not restarting the client configs automatically. It might have been due to avoid DDoS the server in larger deployments, if a bad option would be pushed to all clients or something like that. This is anyhow very easily added on a per-config bases using a systemd feature: # systemctl edit openvpn-client@CONFIGNAME.service In the file opened in the editor, just add "[Service]" and those two lines mentioned earlier. You might want to have a bit longer "Restart" timer, but that's up to the local sysadmin to judge best. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v3] Add Apache2 linking with for new commits
On 26/04/2023 11:49, Arne Schwabe wrote: After first round of mailing people with more than 10 commits we have almost all committers have agreed. This put this license in the realm of having a realistic change to work. Had any of these contributers disagreed, rewriting all their code might have been not feasible. The rationale of adding this exception now is to avoid having to have a second round of agreement for new contributers and ensure that all new code will include the exemption. patch v2: add explaination and use exception rather than excemption patch v3: actually send v3 Change-Id: Ide83f914f383b53ef37ddf628e4da5a78e241bf0 Signed-off-by: Arne Schwabe LGTM and is (almost) the same text as the proposal [1] sent February 15, 2023. A little extra character has been added, which can be removed at commit time. See comment below in the diff. [1] Message-Id: <9160f6a3-1a61-d112-7a48-a7da4af38...@eurephia.org> <https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26269.html> Acked-By: David Sommerseth --- COPYING | 47 +++ 1 file changed, 47 insertions(+) diff --git a/COPYING b/COPYING index e12c51414..a6f8a6f5f 100644 --- a/COPYING +++ b/COPYING @@ -31,6 +31,53 @@ OpenVPN license: file, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. +Apache2 linking exception: +--- +OpenVPN is currently undergoing a license change to add an exception for +Apache 2 linking. The following exception is only valid for new contributions +after COMMITDATE and past contribution where the authors have already agreed +to the exception. + + In addition, as a special exception, OpenVPN Inc and the + contributors give permission to link the code of this program to + libraries (the "Libraries") licensed under the Apache License + version 2.0 (this work and any linked library the "Combined Work") + and copy and distribute the Combined Work without an obligation to + license the Libraries under the GNU General Public License v2 + (GPL-2.0) as required by Section 2 of the GPL-2.0, and without an + obligation to refrain from imposing any additional restrictions in + the Apache License version 2 that are not in the GPL-2.0, as + required by Section 6 of the GPL-2.0. You must comply with the` The line above ends with an additional ` -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied openvpn3-linux] openvpn3-config-manage: Fix description in man page
From: David Sommerseth Your patch has been applied to the master branch commit 97c729808a688364c16d17f7c34a4c7229ca0131 master Author: Frank Lichtenheld Date: Tue, 02 May 2023 12:02:27 + docs/man: Fix description in openvpn3-config-manage man page Signed-off-by: Frank Lichtenheld Message-Id: <20230502120227.30592-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26613.html Signed-off-by: David Sommerseth -- kind regards, David Sommerseth ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] OpenVPN 3 Linux v20 released
tributions - - Debian 10 (amd64, arm64) - Debian 11 (amd64, arm64) - Fedora 36, 37 and 38 (x86_64, aarch64, s390x) - Red Hat Enterprise Linux 7 (x86_64) - Red Hat Enterprise Linux 8 and 9 (x86_64, aarch64) - Ubuntu 18.04, 20.04 and 22.04, (amd64, arm64) The arm64 support on selected Debian and Ubuntu releases are considered tech-preview. We would like to get feedback from arm64 users how OpenVPN 3 Linux works here, then we can remove the tech-preview label for arm64. The non-LTS Ubuntu releases has been unlisted. The OpenVPN 3 Linux project will primarily focus the LTS releases. The non-LTS releases will still get builds, but they will no go through the same kind of testing before releases. Those builds will also not necessarily arrive at the same time as the builds for LTS releases. Installation and getting started instructions can be found here: <https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux> Credits --- Since this is the first stable release, it's appropriate to give some credits to people who have contributed in various ways to this project so far. A huge thanks goes to: Antonio Quartulli Arne Schwabe Ben Yanke David Schneider dangerfish96 fldu Frank Lichtenheld Frans Klaver Heiko Hund Jagadeesh Kotra Johan Draaisma John Eismeier Kevin Lindsay Lev Stipakov Mykola Stolyarenko Raphael Mader Romain Loutrel Samuli Seppänen In addition comes all those who have tested OpenVPN 3 Linux and provided feedback through various channels through all these releases. You have all been important in ensuring this project has evolved and matured. I'm sorry I don't have a proper list of all you, but you would also deserve to be mentioned. -- kind regards, David Sommerseth OpenVPN Inc Source tarballs --- * OpenVPN 3 Linux v20 <https://swupdate.openvpn.net/community/releases/openvpn3-linux-20.tar.xz> <https://swupdate.openvpn.net/community/releases/openvpn3-linux-20.tar.xz.asc> SHA256 Checksums -- git references git repositories: <https://codeberg.org/OpenVPN/openvpn3-linux> (Primary) <https://gitlab.com/openvpn/openvpn3-linux> (mirror) <https://github.com/OpenVPN/openvpn3-linux> (mirror) git tag: v20 git commit: e7531f45d3743bfe58223a6b56794aa8bba01ba9 Changes from v19_beta to v20--- --- David Sommerseth (47): Coding style update build/clang++: Fix build issues with clang++14 log: Add default initialising of LogEvent members log: Extend LogEvent with group/category parsing from strings log: Extend LogEvent with str() method ovpn3cli/log: Use the new LogEvent::str() method log: Adding Log::Journald::Parser and related classes ovpn3cli: New command - openvpn3-admin journal copyright: Use SPDX license tags core: Update to OpenVPN 3 Core library v3.7.2 Add .git-blame-ignore-revs with instructions cli/session-manage: Make --resume and --restart run in background log: Ensure extracted systemd-journald fields have correct length docs/man: Fix missing backslash in Makefile.am build: Unbreak non-systemd based builds again dbus: Add AUTH_PENDING related constants client: Implement support for CR_TEXT pending authentication tests: Extend requires-queue tests with ClientAttentionGroup::CHALLENGE_AUTH_PENDING common/dbus: Migrate g_variant_get() to GLibUtils::ExtractValue<>() selinux: Allow openvpn3_client_t to use syslog copyright: Fix typo in a license tag ovpn3cli: User credential input error handling input with session-start cli: Improve behaviour with incorrect PK passphrase or CONN_FAILED netcfg: Exit early if systemd-resolved cannot be reached common: Add support for comment fields in SingleCommand arg parser build: Add a check for the libselinux library ovpn3cli/admin: Add new init-config command log: Don't hard-code --journald in auto-start service docs: Update openvpn3-autoload documentation copyright: Update copyright years build: Ensure OPENVPN3_STATEDIR is properly set ovpn3cli/admin: Check chown/chmod return codes in init-config ovpn3cli/admin: Make init-config check SELinux status first docs: Clean up the "SEE ALSO" sections in some base man pages log: Filter out UNDEFINED LogGroup and LogCategory log/jourald: Don't provide strings for LogCategory/LogGroup::UNDEFINED ovpn3cli/admin: Make init-config also check for configs subdir ovpn3cli/admin: Clean up incorrect wording in init-config man: Updating openvpn3-linux.7
Re: [Openvpn-devel] [PATCH] Bugfix: Convert ECDSA signature form pkcs11-helper to DER encoded form
On 14/03/2023 10:02, David Sommerseth wrote: On 14/03/2023 09:45, David Sommerseth wrote: On 11/03/2023 06:24, selva.n...@gmail.com wrote: From: Selva Nair - With OpenSSL 3.0 and xkey-provider, we use pkcs11h_certificate_signAny_ex() which returns EC signature as raw r|s concatenated. But OpenSSL expects a DER encoded ASN.1 structure. Do this conversion as done in cryptoapi.c. For code re-use, ecdsa_bin2sig() is consolidated with sig to DER conversion as ecdsa_bin2der() and moved to xkey_helper.c In the past when we used OpenSSL hooks installed by pkcs11-helper, such a conversion was not required as it was internally handled by the library. Reported by: Tom Signed-off-by: Selva Nair Just FYI, this report appeared in the bugzilla for the Fedora packaging. This seems related to this patch. <https://bugzilla.redhat.com/show_bug.cgi?id=2177834> I will try to prepare a Fedora build with this patch added, for further testing. Fedora Koji builds of OpenVPN 2.6.1 with this patch included: Fedora 38: <https://koji.fedoraproject.org/koji/taskinfo?taskID=98680872> x86_64 packages: <https://koji.fedoraproject.org/koji/taskinfo?taskID=98680943> Fedora 37: <https://koji.fedoraproject.org/koji/taskinfo?taskID=98680878> x86_64 packages: <https://koji.fedoraproject.org/koji/taskinfo?taskID=98680991> Just got feedback from the reporter in the Fedora bugzilla; this patch works well on Fedora 38. I suggest adding this tag to the commit log. Feel free to add the URL tag to the bugzilla ticket too. Tested-by: flor...@apolloner.eu -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Bugfix: Convert ECDSA signature form pkcs11-helper to DER encoded form
On 14/03/2023 09:45, David Sommerseth wrote: On 11/03/2023 06:24, selva.n...@gmail.com wrote: From: Selva Nair - With OpenSSL 3.0 and xkey-provider, we use pkcs11h_certificate_signAny_ex() which returns EC signature as raw r|s concatenated. But OpenSSL expects a DER encoded ASN.1 structure. Do this conversion as done in cryptoapi.c. For code re-use, ecdsa_bin2sig() is consolidated with sig to DER conversion as ecdsa_bin2der() and moved to xkey_helper.c In the past when we used OpenSSL hooks installed by pkcs11-helper, such a conversion was not required as it was internally handled by the library. Reported by: Tom Signed-off-by: Selva Nair Just FYI, this report appeared in the bugzilla for the Fedora packaging. This seems related to this patch. <https://bugzilla.redhat.com/show_bug.cgi?id=2177834> I will try to prepare a Fedora build with this patch added, for further testing. Fedora Koji builds of OpenVPN 2.6.1 with this patch included: Fedora 38: <https://koji.fedoraproject.org/koji/taskinfo?taskID=98680872> x86_64 packages: <https://koji.fedoraproject.org/koji/taskinfo?taskID=98680943> Fedora 37: <https://koji.fedoraproject.org/koji/taskinfo?taskID=98680878> x86_64 packages: <https://koji.fedoraproject.org/koji/taskinfo?taskID=98680991> -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Bugfix: Convert ECDSA signature form pkcs11-helper to DER encoded form
On 11/03/2023 06:24, selva.n...@gmail.com wrote: From: Selva Nair - With OpenSSL 3.0 and xkey-provider, we use pkcs11h_certificate_signAny_ex() which returns EC signature as raw r|s concatenated. But OpenSSL expects a DER encoded ASN.1 structure. Do this conversion as done in cryptoapi.c. For code re-use, ecdsa_bin2sig() is consolidated with sig to DER conversion as ecdsa_bin2der() and moved to xkey_helper.c In the past when we used OpenSSL hooks installed by pkcs11-helper, such a conversion was not required as it was internally handled by the library. Reported by: Tom Signed-off-by: Selva Nair Just FYI, this report appeared in the bugzilla for the Fedora packaging. This seems related to this patch. <https://bugzilla.redhat.com/show_bug.cgi?id=2177834> I will try to prepare a Fedora build with this patch added, for further testing. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] dns option: remove support for exclude-domains
On 28/02/2023 05:41, Heiko Hund wrote: No DNS resolver currently supports this and it is not possible to emulate the behavior without the chance of errors. Finding the effective default system DNS server(s) to specify the exclude DNS routes is not trivial and cannot be verified to be correct without resolver internal knowledge. So, it is better to not support this instead of supporting it, but incorrectly. Signed-off-by: Heiko Hund --- doc/man-sections/client-options.rst | 14 +- src/openvpn/dns.c | 13 ++--- src/openvpn/dns.h | 7 --- src/openvpn/options.c | 16 4 files changed, 7 insertions(+), 43 deletions(-) I've only glared at the code and quickly done a few compile tests. LGTM. Change itself also makes sense. Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] OpenVPN Linking Exception
OpenVPN 2.x is licensed under the GNU Public License v2.0 (GPL-2.0). This license has served us well in the past and we are not trying to change that. However, changes in licenses of our dependencies put us in an unfortunate situation. Both mbed TLS and OpenSSL nowadays use the Apache 2.x license (APL-2). For the OpenSSL library we have a special exception that allows us linking with it. For newer mbed TLS versions, we cannot do this any more. The APL-2 allows very liberal use of its source code when including it in other program (like BSD license). Unlike BSD licenses, the APL-2 has a few additions that position it better in today's legal landscape. It requires patent grant (in layman terms: you cannot contribute to an APL-2 licensed project and later sue someone for using your patents on the code you contributed). This is the most critical aspect where the APL-2 is incompatible with GPL-2.0 according to Free Software Foundation - <https://www.gnu.org/licenses/license-list.html#apache2>. A short overview of APL-2 and license text can be found here: <https://tldrlegal.com/license/apache-license-2.0-(apache-2.0)#summary> The OpenVPN community has discussed these issues with Pamela Chestek <https://www.chesteklegal.com/> on the linking exception. She is a renowned open source license legal expert. Various options for this challenge have been studied and evaluated. What is clear is that we will need a linking exception. The OpenSSL and mbed TLS libraries may be considered system libraries on Linux systems but cannot be considered as such for distributions of the OpenVPN binary on Windows, macOS or Android. The proposed linking exception for OpenVPN: In addition, as a special exception, OpenVPN Inc and the contributors give permission to link the code of this program to libraries (the "Libraries") licensed under the Apache License version 2.0 (this work and any linked library the "Combined Work") and copy and distribute the Combined Work without an obligation to license the Libraries under the GNU General Public License v2 (GPL-2.0) as required by Section 2 of the GPL-2.0, and without an obligation to refrain from imposing any additional restrictions in the Apache License version 2 that are not in the GPL-2.0, as required by Section 6 of the GPL-2.0. You must comply with the GPL-2.0 in all other respects for the Combined Work, including the obligation to provide source code. If you modify this file, you may extend this exception to your version of the file, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. This exception is the verbatim copy from Pamela Chestek, and the content in this copy above has been reviewed by her. There is some legalese phrases there (in particular related to "Combined work") which may seem odd, but this is common practice in legal definitions. In plain non-legalese English this basically says: * The intention for this license exception is to allow OpenVPN to be linked against APL-2 licensed libraries, even where the GPL-2.0 and APL-2 licenses conflict from a legal perspective. * OpenVPN itself will stay GPL-2.0 and the code belonging to the OpenVPN project must comply to the GPL-2.0 license. This is NOT dual-licensing of the OpenVPN code base. * This license exception DOES NOT require NOR expect a license change of the APL-2 based library. This exception allows using the APL-2 library as-is. However, when distributing a compiled OpenVPN binary linking against APL-2 libraries ("Combined Work"), the REQUIREMENT is that the APL-2 library MUST also be available on similar terms as in GPL-2.0, like providing the source code of the library upon request, except in the two specific ways mentioned. * If the APL-2 based library forbids such linking and distribution, this license exception DOES NOT overrule the restriction of the APL-2 based library. If the APL-2 library cannot satisfy the requirements in this license exception, you CANNOT distribute an OpenVPN binary linked with this library. I hope we can reach an agreement and replace the current OpenSSL linking exception with this new exception above. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OpenVPN 2.6.0 released
On 27/01/2023 12:32, André wrote: Hi, So download link in Forum Announcement should be corrected? https://forums.openvpn.net/viewtopic.php?t=35260 Yes, thank you! Updated! -- kind regards, David Sommerseth OpenVPN Inc --- Original Message --- On Friday, January 27th, 2023 at 01:53, David Sommerseth wrote: On 25/01/2023 20:50, Frank Lichtenheld wrote: [...snip...] On Red Hat derivatives we recommend using the Fedora Copr repository. https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release/ A slight update here. The repo above will be preserved for OpenVPN 2.5 releases. A new repository for OpenVPN 2.6 has been published: https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/ -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OpenVPN 2.6.0 released
On 25/01/2023 20:50, Frank Lichtenheld wrote: [...snip...] On Red Hat derivatives we recommend using the Fedora Copr repository. <https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release/> A slight update here. The repo above will be preserved for OpenVPN 2.5 releases. A new repository for OpenVPN 2.6 has been published: <https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/> -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] dco: print proper message in case of transport disconnection
On 12/01/2023 09:43, Lev Stipakov wrote: Hi, -/* SPDX-License-Identifier: GPL-2.0-only WITH Linux-syscall-note */ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ This specific hunk is beyond my pay grade. I dug into this. License wise, GPL-2.0 is the same as GPL-2.0-only in the spdx.dev [1] specification. But the change isn't correct according to SPDX specification standard v3; the short versions (GPL-*.*) was deprecated in favor of the longer version (GPL-*.*-only). I would let this change pass now, as it doesn't change the license itself. Later on this can be unified to a specific SPDX specification standard across all files. [1] <https://spdx.dev/licenses/> -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied openvpn3-linux] tests: platforminfo: skip DBus test if hostname service isn't available
From: David Sommerseth Thanks a lot! This patch was a by the book in every possible way, so this was really easy to review and apply. Acked-by: David Sommerseth - Your patch has been applied commit 1576e34a1f45133bd4c6df495eaef9387ecd1b4d master Author: Frans Klaver Date: Thu, 01 Dec 2022 07:50:13 + tests: platforminfo: skip DBus test if hostname service isn't available Signed-off-by: Frans Klaver Acked-by: David Sommerseth Patchwork-Id: 2880 URL: https://patchwork.openvpn.net/patch/2880/ -- kind regards, David Sommerseth ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] OpenVPN 3 Linux client - v19 beta released
release will be one of the last beta releases or a stable release depends on what bugs and issues are discovered in this release and what kind of code changes are needed to complete the outstanding issues we want resolved for the stable release. Supported Linux distributions - - Debian 10 (amd64, arm64) - Debian 11 (amd64, arm64) - Fedora 35 and 36 (x86_64, aarch64, s390x) - Red Hat Enterprise Linux 7 (x86_64) - Red Hat Enterprise Linux 8 and 9 (x86_64, aarch64) - Ubuntu 18.04, 20.04, 21.10 and 22.04 (amd64, arm64) Both Fedora 37 and Ubuntu 22.10 will come in the near future as well, they are currently not made available yet. The arm64 support on selected Debian and Ubuntu releases are currently considered a tech-preview. We would like to get feedback from arm64 users how OpenVPN 3 Linux works here, then we can remove the tech-preview label for arm64. -- kind regards, David Sommerseth OpenVPN Inc Source tarballs --- * OpenVPN 3 Linux v18 beta <https://swupdate.openvpn.net/community/releases/openvpn3-linux-19_beta.tar.xz> <https://swupdate.openvpn.net/community/releases/openvpn3-linux-19_beta.tar.xz.asc> SHA256 Checksums -- git references git repositories: <https://gitlab.com/openvpn/openvpn3-linux> <https://github.com/OpenVPN/openvpn3-linux> <https://codeberg.org/OpenVPN/openvpn3-linux> git tag: v19_beta git commit: 33da965fa4151a05f95f385f00f338fa028471a2 Changes from v18_beta to v19_beta -- David Sommerseth (74): tests: Improve MachineIDTest::get_systemd_api test build: Split up proxy-netcfg into a manager and device compilation unit core: Update to latest OpenVPN 3 Core Library 3.7 development shell: Fix proposing more options to --config shell completion shell: Fix trailing spaces in bash-completion build: Generate C compatible header file dbus: Add missing #include in glibutils.hpp log: Move LogTag into its own compilation unit log: Extend LogTag to enable/disable the tag mark encapsulation log: Extend LogTag with copy constructor log: Add new helper classes for log meta data log: Implement the new meta data log handling log: Extend LogMetaDataValue to process LogTag objects log: Extend LogMetaData with GetMetaDataRecords() method log: Use LogTag in Logger class instead of std::string common: Allow setting default filename in Configuration::File ctor common: Extend Configuration::File with Get/Set for more data types log: Re-implement configuration state saving log: Switch to GLibUtils::ExtractValue in LogEvent log: Implement LogTag prefix configuration setting log: Extend LogEvent with LogGroup/Category string extraction log: Add support for native systemd-journald logging log: Implement systemd-journald support in openvpn3-service-logger log: Split logwritter.hpp into its own compilation unit log: Split out StreamLogWriter and ColourStreamWriter log: Split out SyslogWriter to its own compilation unit log: Split out JournaldWriter to its own compilation unit log: Final change of the logwriter.hpp split-up refactoring log: Extend LogWriter API to provide backend info log: Extend net.openvpn.v3.log interface with log_method property cli/log: Provide information about logging method in use cli/log: Add admin --enable-log-prefix config setting log: Fix memory corruption with syslog/openlog() log: Rework initial opening information in logger service common: Extend Configuration::File with GetFilename() log: Extend state/config file option coverage log/logger: Simplify exclusive option check log/logger: Rework configuration/state loading log/logger: Extend with D-Bus property for config_file common: Add missing include files in cmdparser-exceptions.hpp cli/log: Add new options for logger config file management logger: Enable --journald as default log method build: Don't use space in PACKAGE_NAME docs/man: Add missing --auth-req option in openvpn3 session-auth docs: Added GitHub pull-request template log: Avoid halting logger startup on missing log-service.json dbus: Make bus_name and interface protected members in DBusProxy dbus/proxy: Check if property proxy is configured dbus/connection: Add extra connection tests in DBus constructors common: Add PlatformInfo API client: Send platform OS/distro peer information to server client: Simplify IV_GUI_VER string utils: Fix incorrect string concat in get_guiversion() tests/unit: Handle PlatformInfo::DBus error gracefully py
Re: [Openvpn-devel] [PATCH] Improve documentation for --dev and --dev-node.
On 14/09/2022 09:38, Antonio Quartulli wrote: Hi, On 14/09/2022 09:33, David Sommerseth wrote: On 12/09/2022 09:41, Gert Doering wrote: During the research for commit a5cf4cfb77f745 it turned out that OpenVPN's behaviour regarding "--dev arbitrary-name" is very platform-specific and not very well documented. The referenced commit fixed DCO behaviour to be in line with non-DCO linux behaviour, this commit catches up on the documentation. Signed-off-by: Gert Doering --- doc/man-sections/vpn-network-options.rst | 38 +++- 1 file changed, 31 insertions(+), 7 deletions(-) diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 5b2f8470..559b2464 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -69,15 +69,34 @@ routing. dev tap4 dev ovpn - When the device name starts with :code:`tun` or :code:`tap`, the device - type is extracted automatically. Otherwise the ``--dev-type`` option - needs to be added as well. + What happens if the device name is not :code:`tun` or :code:`tap` is + platform dependent. + + On most platforms, :code:`tunN` (e.g. tun2, tun30) and :code:`tapN` + (e.g. tap3) will create a numbered tun/tap interface with the number + specified - this is useful if multiple OpenVPN instances are active, + and the instance-to-device mapping needs to be known. Some platforms + do not support "numbered tap", so trying ``--dev tap3`` will fail. + + Arbitrary names (e.g. ``--dev home``) will not work on most platforms, + with the exception of Linux and FreeBSD with the DCO kernel driver. + + There, arbitrary names are allowed, and will create a tun or DCO + device named as requested. + This is confusing and not quite right. I've used "--dev home" for a long time on Linux with tun devices. But it requires "--dev-type tun". There are no dependencies on DCO in this use case. The text refers to two cases: * Linux * FreeBSD with DCO maybe the wording made it sound different? Ahh, so FreeBSD don't support arbitrary names with plain tun interfaces? If so, then I misread the sentence. Perhaps this is clearer? -- Arbitrary names (e.g. ``--dev home``) will not work on most platforms. Linux supports arbitrary names in addition to FreeBSD when using the DCO kernel driver. This will require ``--dev-type`` to be set. -- [...snip...] @@ -93,6 +112,11 @@ routing. both the network connections control panel name and the GUID for each TAP-Win32 adapter. + On other platforms, ``--dev-node node`` will influence the naming of the + created tun/tap device, if supported on that platform. If OpenVPN cannot + figure out whether ``node`` is a TUN or TAP device based on the name, + you should also specify ``--dev-type tun`` or ``--dev-type tap``. IIRC correctly on Windows (too many years since last time with a more advanced setup there), --dev-node does not influence the naming of the tap-windows6 interface, but is a reference to the pre-created interface. Windows didn't use to create interfaces on-the-fly like on Linux/BSD/macOS. Not sure if that has changed with tap-windows6 and neither how this is with wintun or ovpn-dco-win. It has not changed, but the "other platforms" the text is talking about does not include Windows. Okay, then it's fine. -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Improve documentation for --dev and --dev-node.
On 12/09/2022 09:41, Gert Doering wrote: During the research for commit a5cf4cfb77f745 it turned out that OpenVPN's behaviour regarding "--dev arbitrary-name" is very platform-specific and not very well documented. The referenced commit fixed DCO behaviour to be in line with non-DCO linux behaviour, this commit catches up on the documentation. Signed-off-by: Gert Doering --- doc/man-sections/vpn-network-options.rst | 38 +++- 1 file changed, 31 insertions(+), 7 deletions(-) diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 5b2f8470..559b2464 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -69,15 +69,34 @@ routing. dev tap4 dev ovpn - When the device name starts with :code:`tun` or :code:`tap`, the device - type is extracted automatically. Otherwise the ``--dev-type`` option - needs to be added as well. + What happens if the device name is not :code:`tun` or :code:`tap` is + platform dependent. + + On most platforms, :code:`tunN` (e.g. tun2, tun30) and :code:`tapN` + (e.g. tap3) will create a numbered tun/tap interface with the number + specified - this is useful if multiple OpenVPN instances are active, + and the instance-to-device mapping needs to be known. Some platforms + do not support "numbered tap", so trying ``--dev tap3`` will fail. + + Arbitrary names (e.g. ``--dev home``) will not work on most platforms, + with the exception of Linux and FreeBSD with the DCO kernel driver. + + There, arbitrary names are allowed, and will create a tun or DCO + device named as requested. + This is confusing and not quite right. I've used "--dev home" for a long time on Linux with tun devices. But it requires "--dev-type tun". There are no dependencies on DCO in this use case. [...snip...] @@ -93,6 +112,11 @@ routing. both the network connections control panel name and the GUID for each TAP-Win32 adapter. + On other platforms, ``--dev-node node`` will influence the naming of the + created tun/tap device, if supported on that platform. If OpenVPN cannot + figure out whether ``node`` is a TUN or TAP device based on the name, + you should also specify ``--dev-type tun`` or ``--dev-type tap``. IIRC correctly on Windows (too many years since last time with a more advanced setup there), --dev-node does not influence the naming of the tap-windows6 interface, but is a reference to the pre-created interface. Windows didn't use to create interfaces on-the-fly like on Linux/BSD/macOS. Not sure if that has changed with tap-windows6 and neither how this is with wintun or ovpn-dco-win. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] wolfSSL unit test failures
On 18/08/2022 22:06, Arne Schwabe wrote: But if we have to spend time going through support requests and to keep something maintained that we ourselves have no intrinsic motivation to support, I will advocate to set/change the status of wolfSSL in OpenVPN to "unmaintained". Agreed. If wolfSSL support is expected to work in OpenVPN, those interested in wolfSSL need to be far more active and follow the OpenVPN development to ensure the support still functions and performs as expected. The wolfSSL support has so far had quite little impact on growing the OpenVPN user or development base, so there is little motivation or even reasons for the OpenVPN community to take ownership of this. Don't expect the wolfSSL support to be tested much at all by the community developers. On the other side, we do see that wolfSSL has more a benefit of slamming the "works with OpenVPN" label on wolfSSL. But don't count on the OpenVPN community doing the grunt work for wolfSSL. Either be more actively involved - or accept we will move it to an unmaintained status - plausibly removing it if it stays broken for a longer time. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 3/4] Implement AUTH_FAIL, TEMP message support
On 20/05/2022 23:32, Arne Schwabe wrote: This allows a server to indicate a temporary problem on the server and allows the server to indicate how to proceed (i.e. move to the next server, retry the same server, wait a certain time,...) This adds options_utils.c/h to be able to unit test the new function. Patch v2: Improve documentation, format man page better, comment that protocol-flags is not a user usable option. --- doc/man-sections/script-options.rst | 36 ++ src/openvpn/Makefile.am | 1 + src/openvpn/init.c | 9 ++- src/openvpn/openvpn.vcxproj | 2 + src/openvpn/openvpn.vcxproj.filters | 3 +20220520213250.3126372-4-a...@rfc2549.org src/openvpn/options.h| 9 ++- src/openvpn/options_util.c | 104 +++ src/openvpn/options_util.h | 33 + src/openvpn/push.c | 11 ++- src/openvpn/ssl.c| 13 ++-- src/openvpn/ssl.h| 3 + tests/unit_tests/openvpn/Makefile.am | 1 + tests/unit_tests/openvpn/test_misc.c | 49 + 13 files changed, 266 insertions(+), 8 deletions(-) create mode 100644 src/openvpn/options_util.c create mode 100644 src/openvpn/options_util.h [...snip...] diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am index 577294804..a619aac38 100644 --- a/src/openvpn/Makefile.am +++ b/src/openvpn/Makefile.am @@ -95,6 +95,7 @@ openvpn_SOURCES = \ pkcs11_mbedtls.c \ openvpn.c openvpn.h \ options.c options.h \ +options_util.c options_util.h \ Indent mismatch. Makefile.am uses tabs ... because traditional Make needed it. Since the rest of our Makefile.am files uses tabs, we continue with that for now. [...snip...] diff --git a/src/openvpn/options_util.c b/src/openvpn/options_util.c new file mode 100644 index 0..d8a7e2343 --- /dev/null +++ b/src/openvpn/options_util.c @@ -0,0 +1,104 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2022 OpenVPN Inc + * Copyright (C) 2010-2021 Fox Crypto B.V. ^^ Does any of the code in this file come from Fox at all? If not, you could probably consider removing that last line. [...snip...] +const char * +parse_auth_failed_temp(struct options *o, const struct buffer *buf) +{ The code here looks nice and clean; unit tests runs fine as well. diff --git a/src/openvpn/options_util.h b/src/openvpn/options_util.h new file mode 100644 index 0..9785bb239 --- /dev/null +++ b/src/openvpn/options_util.h @@ -0,0 +1,33 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2022 OpenVPN Inc + * Copyright (C) 2010-2021 Fox Crypto B.V. Same copyright note as for the options_util.c. [...snip...] --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -93,6 +93,9 @@ * result. */ #define IV_PROTO_NCP_P2P (1<<5) +/** Support for AUTH_FAIL,TEMP messages */ +#define IV_PROTO_AUTH_FAIL_TEMP (1<<6) + This conflicts with IV_PROTO_DNS_OPTION which has already been merged to git master. [...snip...] I've not yet tested this code in a functional test; it compiles fine without warnings and unit tests runs fine. Since some minor changes are need, I just wanted to get this feedback sent before I run some more testing. One thing I spotted, and I'm not sure if it's my Thunderbird fooling me or what it is ... there were spurious indenting "errors" here and there. But the patch I pulled down directly from Patchwork had no such issues at all. I'll check that more carefully on my end. One issue I know is real I've commented here already. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 1/4] Implement exit notification via control channel
On 20/05/2022 23:32, Arne Schwabe wrote: Current exit notification relies on data channel messages with specific prefix. Adding these to new data channel modules (DCO) adds unncessary complexity for the data for messages that from their idea belong to the control channel anyway. This patch adds announcing support for control channel and sending/receving it. We use the simple EXIT message for this. Patch V2: add comment about protocol-flags to be not a user visible option, fix various grammar mistakes, remove unused argument to receive_exit_message --- doc/man-sections/client-options.rst | 7 ++- src/openvpn/crypto.h| 5 + src/openvpn/forward.c | 4 src/openvpn/multi.c | 5 + src/openvpn/options.c | 20 src/openvpn/push.c | 19 +++ src/openvpn/push.h | 2 ++ src/openvpn/sig.c | 27 +-- src/openvpn/ssl.c | 3 +++ src/openvpn/ssl.h | 3 +++ src/openvpn/ssl_ncp.c | 5 + 11 files changed, 97 insertions(+), 3 deletions(-) [...snip...] diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 9ff384d09..427d58392 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -8326,6 +8326,8 @@ add_option(struct options *options, } else if (streq(p[0], "key-derivation") && p[1]) { +/* NCP only option that is pushed by the server to enable EKM, + * should not be used by normal users in config files*/ This part seems unrelated. VERIFY_PERMISSION(OPT_P_NCP) #ifdef HAVE_EXPORT_KEYING_MATERIAL if (streq(p[1], "tls-ekm")) @@ -8338,6 +8340,24 @@ add_option(struct options *options, msg(msglevel, "Unknown key-derivation method %s", p[1]); } } +else if (streq(p[0], "protocol-flags") && p[1]) +{ +/* NCP only option that is pushed by the server to enable protocol + * features that are negotiated, should not be used by normal users + * in config files */ +VERIFY_PERMISSION(OPT_P_NCP) +for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++) +{ +if (streq(p[j], "cc-exit")) +{ +options->data_channel_crypto_flags |= CO_USE_CC_EXIT_NOTIFY; +} +else +{ +msg(msglevel, "Unknown protocol-flags flag: %s", p[j]); +} +} +} Isn't it possible to do this by pushing IV_PROTO from the server to the client? That could be more compact than adding 22 more bytes to the PUSH_REPLY while IV_PROTO takes less "space" on the wire to indicate a feature. Plus the client already sends the IV_PROTO with the CC_EXIT_NOTIFY feature flag to the server with this patch. The rest of the code otherwise looks reasonable with the current "option approach". The client also sends the IV_PROTO_CC_EXIT_NOTIFY flag to the server, as expected. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v3] Fix OpenVPN querying user/password if auth-token with user expires
On 17/02/2022 19:22, Arne Schwabe wrote: The problematic behaviour happens when start a profile without That sentence can be improved slightly; can be done commit time. I propose: The problematic behaviour happens when a profile is started without auth-user-pass and connect to a server that pushes auth-token When the auth token expires OpenVPN asks for auth User and password again. The problem is that the auth_user_pass_setup sets auth_user_pass_enabled = true; This function is called from two places. In ssl.c it is only called with an auth-token present or that variable already set. The other one is init_query_passwords. Move setting auth_user_pass_enabled to the second place to ensure it is only set if we really want passwords. Patch v2: Remove unrelated code change Patch v3: Rebase to master Signed-off-by: Arne Schwabe I've done several attempts to reproduce the ill behavior with OpenVPN 2.5.7, both local server (using the --management interface), OpenVPN Cloud and OpenVPN Access Server (auto-login profile) without being able to trigger this behavior. Maybe my testing just didn't run long enough. Connections was restarted, servers restarted to wipe state, etc. But it just reconnected again without any issues. So behavior this patch fixes is clearly in the "corner case" area of bugs. That said, the code looks fine and sane. I can understand the code path and I can see that username/passwords should - in theory - not be asked for when the auth-token expires with this fix; and that it would ask for it without this fix. Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/1] configure.ac: replace set with env
On 06/01/2020 09:04, Christian Hesse wrote: From: Christian Hesse The shell builtin `set` produces different output for different shells: bash$ set | grep '^TERM=' TERM=xterm dash$ set | grep '^TERM=' TERM='xterm' This may break reproducible builds depending on what shell is used. Let's replace `set` with `env`, which is a real command and always produces identical output. Hi, Spotted this one now, lingering for way too long. And it looked trivial. Except it doesn't give the expected outcome on my RHEL-8 machine. The CONFIGURE_DEFINES macro in config.h ends up empty. Reverting this patch alone, and it comes back again. So, I'm sorry, I can't ack this one. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add ability to specify initialize flags for pkcs11 provider
On 19/06/2022 19:28, Selva Nair wrote: Hi, On Thu, Sep 30, 2021 at 7:34 AM Petr Mikhalicin via Openvpn-devel <mailto:openvpn-devel@lists.sourceforge.net>> wrote: New pkcs11-helper interface allows to setup pkcs11 provider via properties: https://github.com/alonbl/pkcs11-helper/commit/b78d21c7e26041746aa4ae3d08b95469e1714a85 <https://github.com/alonbl/pkcs11-helper/commit/b78d21c7e26041746aa4ae3d08b95469e1714a85> Also pkcs11-helper added ability to setup init args for pkcs11 provider: https://github.com/alonbl/pkcs11-helper/commit/133f893e30856eba1de715ecd6fe176722eb3097 <https://github.com/alonbl/pkcs11-helper/commit/133f893e30856eba1de715ecd6fe176722eb3097> Signed-off-by: Petr Mikhalicin mailto:mkh199...@mail.ru>> Sorry for the long delay in getting back on this. I somehow also missed the related discussion on Trac (https://community.openvpn.net/openvpn/ticket/1453 <https://community.openvpn.net/openvpn/ticket/1453>) I don't quite understand the need for exposing "init-args" to the user. The only two supported flags in the cryptoki docs are related to the use of threads. But we are the application and we should know what flags to pass --- not the user --- isn't it? If CKF_OS_LOCKING_OK is required, can't we just set it unconditionally? That said, OpenVPN2 is single threaded, so why is there a "bug in openvpn" related to the use of pkcs11 library from multiple threads referred to in the trac ticket? I haven't dug too deep into the matter this time; and it depends also on the OS you are on. But there has been some issues with pkcs11-helper on hosts with systemd, due to some intricacies with openvpn doing a fork to kick off the password query mechanism with systemd colliding with some pkcs11-helper implementation details. For the systemd case, we added a workaround which made most people happy. For more details: <https://community.openvpn.net/openvpn/ticket/538> -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied v2] GitHub Actions: trigger openvpn-build GHA on success
On 17/06/2022 13:06, David Sommerseth wrote: From: David Sommerseth Your patch has been applied commit 6a26cb51297024b563603faf78a33298b5d59f30 master Author: Lev Stipakov Date: Sun, 05 Jun 2022 00:40:13 + GitHub Actions: trigger openvpn-build GHA on success Signed-off-by: Lev Stipakov Patchwork-Id: 2508 URL: https://patchwork.openvpn.net/patch/2508/ Signed-off-by: David Sommerseth Unfortunately, my patchwork script failed when creating the reply message and I spotted it too late. The Acked-by line was stripped out. The proper reply message should have been: commit 6a26cb51297024b563603faf78a33298b5d59f30 master Author: Lev Stipakov Date: Sun, 05 Jun 2022 00:40:13 + GitHub Actions: trigger openvpn-build GHA on success Signed-off-by: Lev Stipakov Acked-by: Samuli Seppänen Patchwork-Id: 2508 URL: https://patchwork.openvpn.net/patch/2508/ Signed-off-by: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied v2] GitHub Actions: trigger openvpn-build GHA on success
From: David Sommerseth Your patch has been applied commit 6a26cb51297024b563603faf78a33298b5d59f30 master Author: Lev Stipakov Date: Sun, 05 Jun 2022 00:40:13 + GitHub Actions: trigger openvpn-build GHA on success Signed-off-by: Lev Stipakov Patchwork-Id: 2508 URL: https://patchwork.openvpn.net/patch/2508/ Signed-off-by: David Sommerseth -- kind regards, David Sommerseth ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] [OpenVPN 2.5] Allow running a default configuration with TLS libraries without BF-CBC
On 03/06/2022 11:52, Arne Schwabe wrote: Modern TLS libraries might drop Blowfish by default or distributions might disable Blowfish in OpenSSL/mbed TLS. We still signal OCC options with BF-CBC compatible strings. To avoid requiring BF-CBC for this, special this one usage of BF-CBC enough to avoid a hard requirement on Blowfish in the default configuration. This patch is cherry-picked from 79ff3f79 and the missing ciphername = "none"; has been added in the OCC code. Signed-off-by: Arne Schwabe --- src/openvpn/crypto_backend.h | 2 ++ src/openvpn/init.c | 37 +-- src/openvpn/options.c| 48 +++- 3 files changed, 73 insertions(+), 14 deletions(-) Just for the record. This patch has been included into Fedora 36 and EPEL-9 builds, released as openvpn-2.5.7-2. Fedora 36 users has reported that this patch resolves issues which surfaced when upgrading to openvpn-2.5.7-1. A few references: <https://bodhi.fedoraproject.org/updates/FEDORA-2022-8ca0f56650> <https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-dd161a4d75> <https://bugzilla.redhat.com/show_bug.cgi?id=2092800> <https://bugzilla.redhat.com/show_bug.cgi?id=2093069> -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied OpenVPN3 2/2] omi: add support for ovpn-dco-win
From: David Sommerseth Your patch has been applied to the master branch commit 94848c3cc3f5ea1fec97ab6b18ba7eff6923561d master Author: Christopher Ng Date: Tue, 07 Jun 2022 16:30:49 + omi: add support for ovpn-dco-win Signed-off-by: Christopher Ng Acked-by: Lev Stipakov Patchwork-Id: 2509 URL: https://patchwork.openvpn.net/patch/2509/ Message-Id: <20220607163049.10056-2-fac...@gmail.com> Signed-off-by: David Sommerseth -- kind regards, David Sommerseth ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied OpenVPN3 1/2] ovpnagent: fix quoting of omiclient parameters
From: David Sommerseth Your patch has been applied to the master branch commit 452e7cb6259d40ae0a1ff749d22a1634c7100fc9 master Author: Christopher Ng Date: Tue, 07 Jun 2022 16:30:48 + ovpnagent: fix quoting of omiclient parameters Signed-off-by: Christopher Ng Acked-by: Lev Stipakov Patchwork-Id: 2510 URL: https://patchwork.openvpn.net/patch/2510/ Message-Id: <20220607163049.10056-1-fac...@gmail.com> Signed-off-by: David Sommerseth -- kind regards, David Sommerseth ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] OpenVPN 3 Linux client - v18 beta released
tdown phase of a VPN session, where it would typically wait for statistics data to be collected it, could print various errors about local variables being unavilable. This has now been improved. Note about future releases -- OpenVPN 3 Linux is now in a stabilization phase. We aim to have a few more releases tagged as 'beta' before the first real stable release, where the focus are primarily bug fixes and improving user experiences through the interfaces already available. This does mean that OpenVPN 3 Linux is generally considered quite stable and can be tested more actively in production environments. Supported Linux distributions - - Debian 10 (amd64, arm64) - Debian 11 (amd64, arm64) - Fedora 35, 36 and Rawhide (x86_64, aarch64, s390x) - Red Hat Enterprise Linux 7 (x86_64) - Red Hat Enterprise Linux 8 and 9 (x86_64, aarch64) - Ubuntu 18.04, 20.04, 21.10 and 22.04 (amd64, arm64) The arm64 support on selected Debian and Ubuntu releases are considered a tech-preview. -- kind regards, David Sommerseth OpenVPN Inc Source tarballs --- * OpenVPN 3 Linux v18 beta <https://swupdate.openvpn.net/community/releases/openvpn3-linux-18_beta.tar.xz> <https://swupdate.openvpn.net/community/releases/openvpn3-linux-18_beta.tar.xz.asc> SHA256 Checksums -- 205ace04986a28ddf27b27b26b57132c9ba83eda32bfb482576aeed456ab3941 openvpn3-linux-18_beta.tar.xz f1a822be0e0fec7b06bb1ddaf687fa7b87793e51bacf7e08324d2533636f2208 openvpn3-linux-18_beta.tar.xz.asc git references git repositories: <https://gitlab.com/openvpn/openvpn3-linux> <https://github.com/OpenVPN/openvpn3-linux> git tag: v18_beta git commit: 5c47318f719aa04606219c2f0913f5d63d3ee999 Changes from v17_beta to v18_beta -- David Schneider (1): docs: Fix incorrect doc paths in net.openvpn.v3.sessions docs David Sommerseth (79): core-extension: Revamp the whole OptionListJSON class core-extension: Remove the ProfileMergeJSON class ovpn3cli: Improve session-start tip with URL auth python: Add support for enable-legacy-algorithms in config parser python: Extend openvpn3.Configuration class with GetConfigName() python: Extend openvpn3.Configuration class with SetOwnershipTransfer() python: Extend openvpn3-as with systemd integration python: Extend openvpn3-as with --owner log/proxy: Switch over from RCPtr to std::shared_ptr log/proxy: Add LogServiceProxyException exception class log/proxy: Add LogServiceProxy::AttachInterface() helper function configmgr: Switch over to LogServiceProxy::AttachInterface() sessionmgr: Switch over to LogServiceProxy::AttachInterface() netcfg: Switch over to LogServiceProxy::AttachInterface() client: Switch over to LogServiceProxy::AttachInterface() addons/aws: Switch over to LogServiceProxy::AttachInterface() python: Add --auth-nocache to ConfigParser's ignore list python: Fix spurious errors during disconnect in openvpn2 common: Add error handling to Configuration::File::Save() dbus: Fix various warnings in connection.hpp dbus: Fix/improve header inclusion in signal.hpp client: Add missing include dbus-log.hpp in backend-signal.hpp log: Fix several spelling errors in comments in logwriter.hpp log: Remove the openvpn namespace and improve includes in dbus-log.hpp build: Rework distro/systemd EXTRA_DIST file list python: Allow --auth-retry to be passed on tests: Fix incorrect namespace closing in machine-id test build: Disallow AWS addon builds without OpenSSL build: Remove hard-coded gio-unix-2.0 include paths common: Fix missing header include for UID/GID lookups dbus: Remove the openvpn namespace from DBus related classes dbus: Extend DBus class with GetUniqueBusName() dbus: Ensure the D-Bus connection is valid dbus: Make path.hpp a separate compilation unit dbus: Free some GError structures in DBusProxy calls log: Refactor service.hpp to be a separate compilation unit log: Replace RC/RCPtr based smart pointers with standard C++ log: Make dbus-log.hpp a separate compilation unit log: Don't log or proxy empty log events dbus: Extend with DBusSignalProducer::set_object_path() client: Extend with BackendSignals::SetSessionPath() client: Extend RegistrationConfirmation D-Bus method with session path client: Extend BackendSignals with GetSessionPath() method client: Provide related session path as a property log: Implement net.openvpn.v3.log.AssignSession client: Provide session path details to log service log: Extend D-Bus
Re: [Openvpn-devel] [PATCH v2] signal --dns support in peer info
On 13/05/2022 13:40, Arne Schwabe wrote: Am 13.05.22 um 13:22 schrieb David Sommerseth: On 13/05/2022 11:37, Heiko Hund wrote: Have clients set a bit in IV_PROTO, so that servers can make an informed decision on whether to push --dns to the client. While unknown options are ignored by clients when pushed, they generate a warning in the log. That can be circumvented by server backends by checking if bit 7 is set. Signed-off-by: Heiko Hund [...snip...] + /* support for the --dns option */ + iv_proto |= IV_PROTO_DNS_OPTION; + [...snip...] +#define IV_PROTO_DNS_OPTION (1<<6) + [...snip...] To be honest, I requested this flag but I don't think this is really what I want/need any more. I wanted to have a flag that tells me as a server that I can push --dns options instead of --dhcp-options and accept the client to evaluate them. But after some digging, I found that on platforms where dhcp-option is NOT parsed by openvpn itself (so anything but Android and Windows) and scripts are used to set DNS, these scripts will always use dhcp-options as they rely on foreign_option support. So they end up with no DNS configuration if only --dns is pushed and using --dhcp-option options if both are pushed unless the script is updated. As I remember it, this wasn't initially about Android and Windows clients. It was about the server pushing both --dhcp-option DNS and --dns at the same time, and that OpenVPN 2.5 and older clients would complain about --dns option warnings. By signalling to a server who wants to avoid this (like the Access Server), the server can chose if it wants to send --dns or --dhcp-options, based on this flag. Right? That the client side isn't parsing --dns options properly is to my understanding a different issue, which also needs a solution. And if my memory isn't completely corrupted, we had some brief talks about v2.6 clients adding some kind of "conversion" from --dns to --dhcp-options *data* for scripts/plug-ins - but only in a simplistic best-effort approach. If the strict --dhcp-option behavior is needed, that can be used with v2.6 clients for the time being if --dns causes troubles. But if both --dns and --dhcp-options are used, and the --dhcp-option provides a setting --dns support, --dns should take precedence. This should also work fine, as the --dns option is far more flexible in what it supports, while --dhcp-options are just simpler by design - and designed around a lesser dynamic Internet world. -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] signal --dns support in peer info
On 13/05/2022 11:37, Heiko Hund wrote: Have clients set a bit in IV_PROTO, so that servers can make an informed decision on whether to push --dns to the client. While unknown options are ignored by clients when pushed, they generate a warning in the log. That can be circumvented by server backends by checking if bit 7 is set. Signed-off-by: Heiko Hund --- src/openvpn/ssl.c | 3 +++ src/openvpn/ssl.h | 3 +++ 2 files changed, 6 insertions(+) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 61dea996..24d7f3f4 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1940,6 +1940,9 @@ push_peer_info(struct buffer *buf, struct tls_session *session) /* support for P_DATA_V2 */ int iv_proto = IV_PROTO_DATA_V2; +/* support for the --dns option */ +iv_proto |= IV_PROTO_DNS_OPTION; + /* support for receiving push_reply before sending * push request, also signal that the client wants * to get push-reply messages without without requiring a round diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 0ba86d3e..c8802707 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -93,6 +93,9 @@ * result. */ #define IV_PROTO_NCP_P2P (1<<5) +/** Supports the --dns option introduced in version 2.6 */ +#define IV_PROTO_DNS_OPTION (1<<6) + /* Default field in X509 to be username */ #define X509_USERNAME_FIELD_DEFAULT "CN" Only glared on the code and compile tested. LGTM. Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] The Great Reformatting of 2022
From: David Sommerseth It was agreed it was time to do a full reformat fix-up of the whole source tree again. Over time (since late 2016) small changes has not adhered to our uncrustify defined coding style. This realigns to our current standards. Signed-off-by: David Sommerseth --- Note: One change was applied manually before reformatting the code. The test_digest and good_sig const arrays had the starting curly brace moved up after the equal sign. This was to avoid the whole array data to be left aligned at column 0. Moving the curly brace opening after the equal sign gave a nicer indenting of the block. --- sample/sample-plugins/defer/multi-auth.c | 23 ++-- .../keyingmaterialexporter.c | 2 +- src/compat/compat-versionhelpers.h| 2 +- src/openvpn/auth_token.c | 2 +- src/openvpn/console_builtin.c | 2 +- src/openvpn/crypto_backend.h | 9 +- src/openvpn/crypto_mbedtls.c | 23 ++-- src/openvpn/crypto_openssl.c | 48 + src/openvpn/cryptoapi.c | 16 +-- src/openvpn/dns.h | 2 +- src/openvpn/error.c | 3 +- src/openvpn/forward.c | 3 +- src/openvpn/init.c| 56 +- src/openvpn/init.h| 1 + src/openvpn/manage.c | 2 +- src/openvpn/misc.h| 4 +- src/openvpn/mss.c | 12 +-- src/openvpn/mss.h | 2 +- src/openvpn/mtu.c | 2 +- src/openvpn/multi.c | 7 +- src/openvpn/networking_sitnl.c| 2 + src/openvpn/openssl_compat.h | 15 +-- src/openvpn/openvpn.c | 14 +-- src/openvpn/options.c | 74 ++--- src/openvpn/options.h | 8 +- src/openvpn/pkcs11_openssl.c | 32 +++--- src/openvpn/platform.c| 8 +- src/openvpn/push.c| 12 ++- src/openvpn/ring_buffer.h | 2 +- src/openvpn/route.c | 4 +- src/openvpn/run_command.h | 2 +- src/openvpn/socket.h | 8 +- src/openvpn/socks.c | 2 +- src/openvpn/ssl.c | 34 +++--- src/openvpn/ssl_backend.h | 2 +- src/openvpn/ssl_common.h | 25 +++-- src/openvpn/ssl_mbedtls.c | 21 ++-- src/openvpn/ssl_mbedtls.h | 2 +- src/openvpn/ssl_ncp.c | 32 +++--- src/openvpn/ssl_openssl.c | 26 ++--- src/openvpn/ssl_verify.c | 46 src/openvpn/ssl_verify_openssl.c | 2 +- src/openvpn/syshead.h | 4 +- src/openvpn/tun.c | 38 +++ src/openvpn/xkey_common.h | 14 +-- src/openvpn/xkey_helper.c | 26 ++--- src/openvpn/xkey_provider.c | 98 - src/openvpnmsica/openvpnmsica.h | 8 +- src/openvpnserv/common.c | 6 +- src/openvpnserv/interactive.c | 101 +- src/openvpnserv/service.c | 8 +- src/plugins/auth-pam/auth-pam.c | 22 ++-- src/tapctl/main.c | 3 +- src/tapctl/tap.c | 30 +++--- tests/unit_tests/openvpn/test_crypto.c| 10 +- tests/unit_tests/openvpn/test_misc.c | 6 +- tests/unit_tests/openvpn/test_ncp.c | 2 +- tests/unit_tests/openvpn/test_provider.c | 60 ++- tests/unit_tests/openvpn/test_tls_crypt.c | 2 +- .../auth-pam/test_search_and_replace.c| 21 ++-- 60 files changed, 549 insertions(+), 504 deletions(-) diff --git a/sample/sample-plugins/defer/multi-auth.c b/sample/sample-plugins/defer/multi-auth.c index 20c9dac5..c2672981 100644 --- a/sample/sample-plugins/defer/multi-auth.c +++ b/sample/sample-plugins/defer/multi-auth.c @@ -72,7 +72,8 @@ struct plugin_context { /* local wrapping of the log function, to add more details */ static plugin_vlog_t _plugin_vlog_func = NULL; -static void plog(const struct plugin_context *ctx, int flags, char *fmt, ...) +static void +plog(const struct plugin_context *ctx, int flags, char *fmt, ...) { char logid[129]; @@ -243,11 +244,11 @@ do_auth_user_pass(struct plugin_context *context, const char *username, const char *password) { plog(context, PLOG_NOTE, -"expect_user=%s, received_user=%s, expect_passw=%s, received_pas
[Openvpn-devel] [PATCH 1/3] dev-tools: Remove no longer needed openvpn-plugin.h.in patching
From: David Sommerseth The bug in uncrustify 0.64 is no longer causing us issues as we now require at least v0.72. This workaround was added as part of the initial reformat-all inclusion, in commit 2417d55c4945d491e. Signed-off-by: David Sommerseth --- .../after_include_openvpn-plugin.h.in.patch | 13 - .../before_include_openvpn-plugin.h.in.patch| 13 - dev-tools/special-files.lst | 1 - 3 files changed, 27 deletions(-) delete mode 100644 dev-tools/reformat-patches/after_include_openvpn-plugin.h.in.patch delete mode 100644 dev-tools/reformat-patches/before_include_openvpn-plugin.h.in.patch diff --git a/dev-tools/reformat-patches/after_include_openvpn-plugin.h.in.patch b/dev-tools/reformat-patches/after_include_openvpn-plugin.h.in.patch deleted file mode 100644 index 100da078.. --- a/dev-tools/reformat-patches/after_include_openvpn-plugin.h.in.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in -index 05bffab..05b4b6a 100644 a/include/openvpn-plugin.h.in -+++ b/include/openvpn-plugin.h.in -@@ -169,7 +169,7 @@ typedef void *openvpn_plugin_handle_t; - /* - * We are compiling OpenVPN. - */ --/* #define OPENVPN_PLUGIN_DEFtypedef */ -+#define OPENVPN_PLUGIN_DEFtypedef - #define OPENVPN_PLUGIN_FUNC(name) (*name) - - #else /* ifdef OPENVPN_PLUGIN_H */ diff --git a/dev-tools/reformat-patches/before_include_openvpn-plugin.h.in.patch b/dev-tools/reformat-patches/before_include_openvpn-plugin.h.in.patch deleted file mode 100644 index 679c4149.. --- a/dev-tools/reformat-patches/before_include_openvpn-plugin.h.in.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in -index 34ad18b..f4c5472 100644 a/include/openvpn-plugin.h.in -+++ b/include/openvpn-plugin.h.in -@@ -169,7 +169,7 @@ typedef void *openvpn_plugin_handle_t; - /* - * We are compiling OpenVPN. - */ --#define OPENVPN_PLUGIN_DEFtypedef -+// #define OPENVPN_PLUGIN_DEFtypedef - #define OPENVPN_PLUGIN_FUNC(name) (*name) - - #else diff --git a/dev-tools/special-files.lst b/dev-tools/special-files.lst index f3f77ea3..64ee9e1a 100644 --- a/dev-tools/special-files.lst +++ b/dev-tools/special-files.lst @@ -1,4 +1,3 @@ E:doc/doxygen/doc_key_generation.h # @verbatim section gets mistreated, exclude it E:src/compat/compat-lz4.c # Preserve LZ4 upstream formatting E:src/compat/compat-lz4.h # Preserve LZ4 upstream formatting -P:include/openvpn-plugin.h.in # uncrustify segfaults, patch it before+after -- 2.27.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 3/3] dev-tools: Avoid uncrustify mangling MAC_FMT macro
From: David Sommerseth The MAC_FMT in src/openvpn/misc.h need to be formatted strictly, and uncrustify does not fully grasp the current code. So we tell it to not touch it. Signed-off-by: David Sommerseth --- src/openvpn/misc.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index 7970b60d..d8a15650 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -212,7 +212,9 @@ struct buffer prepend_dir(const char *dir, const char *path, struct gc_arena *gc); #define _STRINGIFY(S) #S +/* *INDENT-OFF* - uncrustify need to ignore this macro */ #define MAC_FMT _STRINGIFY(%02hhx:%02hhx:%02hhx:%02hhx:%02hhx:%02hhx) +/* *INDENT-ON* */ #define MAC_PRINT_ARG(_mac) _mac[0], _mac[1], _mac[2], \ _mac[3], _mac[4], _mac[5] #define MAC_SCAN_ARG(_mac) &_mac[0], &_mac[1], &_mac[2], \ -- 2.27.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 2/3] dev-tools: Remove uncrusify -p
From: David Sommerseth The -p option to uncrustify was providing debug information about decisions done by uncrustify. This was useful when debugging why certain formatting choices. With newer versions of uncrusitfy the -p option can only be used on individual files and not a list of files. Since still supporting this would require a bigger rewrite of reformat-all.sh, it was chosen to instead remove the usage of this option. If certain behaviours needs to be debugged, running uncrusity on individual files directly will work fine anyhow. Signed-off-by: David Sommerseth --- dev-tools/reformat-all.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dev-tools/reformat-all.sh b/dev-tools/reformat-all.sh index dc2bfc4e..ff126b0f 100755 --- a/dev-tools/reformat-all.sh +++ b/dev-tools/reformat-all.sh @@ -80,8 +80,8 @@ cd "$srcroot" # Kick off uncrustify echo -echo "** INFO ** Running: uncrustify -c $cfg --no-backup -l C -p debug.uncr -F $files" -uncrustify -c "$cfg" --no-backup -l C -p debug.uncr -F "$files" 2>&1 +echo "** INFO ** Running: uncrustify -c $cfg --no-backup -l C -F $files" +uncrustify -c "$cfg" --no-backup -l C -F "$files" 2>&1 res=$? echo "** INFO ** Uncrustify completed (exit code $res)" } | tee "${log}-1" # Log needs to be closed here, to be processed in next block -- 2.27.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Fix links to client docs
On 19/04/2022 15:09, David Schneider wrote: Hello This is my first contribution to this project. As stated in the README patches should be sent to the mailing list. Here is a small change to fix the wrong path to the client docs page. Please let me know if the patch should be submitted in any other form. Thanks a lot! This worked fine, I could easily do a 'git am' on your attachment. I've applied your patch, but slightly adjusted the commit message. commit b7d9bda52aee2f0577fd45e0adbf9ac3eaf8ae00 Author: David Schneider Date: Tue Apr 19 14:48:39 2022 +0200 docs: Fix incorrect doc paths in net.openvpn.v3.sessions docs Signed-off-by: David Schneider Signed-off-by: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Enable deferred auth for multiple plugins (RFC).
On 10/03/2022 12:57, Gert Doering wrote: Without this patch, OpenVPN behaviour if more than one plugin wants to do deferred user/password authentication not well-defined, as there is just one set of auth control files and a single plugin state. This patch changes "key state -> plugin_auth" from a single struct to an array of MAX_PLUGINS elements that have per-plugin auth-control files and auth status. All direct access is changed to iterating over this array. The actual plugin calls are no longer done with the "do them all" function plugin_call() (or plugin_call_ssl()) but plugin.c/plugin.h is changed to expose the "call one" function plugin_call_item(), and verify_user_pass_plugin() calls this for each loaded plugin, keeping track of "overall" state. key_state_test_plugin_auth() is introduced to do the "key_state_test_auth_control_file()" test for all plugins, and return "FAIL if one fails, PENDING if one is pending, SUCCESS if one was pending and succeeded now". This was tested with the "auth-multi" test plugin, with 5-7 plugins loaded (some deferred, some direct) and "some of them failing" or "all succeeding". Testing included "will it leak files if multiple deferred plugins are ongoing, and one of the earlier ones rejects authentication". This patch is not suitable for production use: - it's full of debug output - it will break compilation without ENABLE_PLUGINS - it stands to argue whether plugin_call_item() should be exposed, or key_state_test_plugin_auth() might be moved to plugin.c instead (with a null function if ENABLE_PLUGINS is not defined) Signed-off-by: Gert Doering --- src/openvpn/plugin.c | 2 +- src/openvpn/plugin.h | 9 +++ src/openvpn/ssl.c| 5 +- src/openvpn/ssl_common.h | 4 +- src/openvpn/ssl_verify.c | 127 --- 5 files changed, 123 insertions(+), 24 deletions(-) Hi, So I've had a deeper dive into this proposal. At the moment, I have only glared at the code and considered the overall implementation idea. TL;DR: This makes a lot of sense, and we should pursue this further. But there are room for some adjustments and further improvements. When it comes to exposing plugin_call_item(), I think it makes sense to refactor the changes you've added to verify_user_pass_plugin() into plugin_call_ssl() instead. This will make this implementation more generic and not having a special behavior only for auth-user-pass. I also had a quick look at verify_user_pass_script() as well, and I think this needs to be re-evaluated with this change as well. Scripts can now also do deferred authentication (which I believe is a new feature in git master/coming 2.6). We may hit the same undefined behavior here as well with at least --auth-user-pass-verify, possibly other too. The critical code path in regards to the authentication is in the new key_state_test_plugin_auth(). This implementation looks sane. I would probably suggest to use a different variable name than 'ret_one'. Perhaps 'plugin_state' is a better name? It was especially the last if() clause requiring me to re-read it a few times, as I missed the '_one' part and didn't quite understand the logic behind "ret = ACF_SUCCEEDED && ret != ACF_PENDING"; it made more sense when I grasped the first "ret" was supposed to be "ret_one". Also, in that function "&(ads[i])" isn't the prettiest approach, but will work. Could we do this nicer? Another improvement I think can be reasonable is to refactor plugin_n() to return an internal counter of loaded plug-ins instead of passing a pointer to a plugin struct. This allows the proposed changes to use plugin_n() more freely and to avoid iterating over MAX_PLUGINS. Now there is a mixture between iterating plugin_n() and MAX_PLUGINS, and in most configurations plugin_n() will return a lower value than MAX_PLUGINS. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] Retain CAP_NET_ADMIN when dropping privileges
On 06/04/2022 14:44, Timo Rothenpieler wrote: --- a/configure.ac +++ b/configure.ac @@ -794,6 +794,25 @@ dnl esac fi +dnl +dnl Depend on libcap-ng on Linux +dnl +case "$host" in + *-*-linux*) + PKG_CHECK_MODULES([LIBCAPNG], + [libcap-ng], + [have_libcapng="yes"], do we really need have_libcapng? it seems it is not used further in configure.ac I have little to no experience with autotools, and I think this is straight up copied from the openvpn3 setup. That's probably right. Can I just leave the line empty? Or put empty [] there? Yes, [] should suffice. That said, it makes no big difference if it is there or not. If needed to check ("test") if libcap-ng is available or not, this checks needs to be added again though. That said, we do not have a consistent way of using PKG_CHECK_MODULES() in general. We have at least 4 different ways in use today. Probably something to clean-up some day later. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] Retain CAP_NET_ADMIN when dropping privileges
On 06/04/2022 14:44, Timo Rothenpieler wrote: 'man cap_change_id' does not mention setting errno at all. What do we expect to see with M_ERRNO? Every function it internally calls sets errno, so in case of failure errno will reflect what went wrong. Like, for example EPERM will be the most common cause of failure. capng_change_id() does several other lower level calls, like prctl(), setgroups(), setresgid() and setresuid(). They all set errno if an error occurs. The return code of capng_change_id() just reflects in which phase of dropping privileges/uid/gid it failed. For more details of the capng_change_id(), the implementation itself isn't that hard to read (but it does a several steps to harden the privilege drop): <https://github.com/stevegrubb/libcap-ng/blob/03b8572843b36bf071776a311c61f8d1dcfc4d53/src/cap-ng.c#L960> -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] Retain CAP_NET_ADMIN when dropping privileges
On 31/03/2022 15:26, Gert Doering wrote: Hi, On Thu, Mar 31, 2022 at 03:20:59PM +0200, David Sommerseth wrote: I've also run a few tests using an --up script which modified /etc/resolv.conf, which also worked as expected with capabilities enabled. This is actually an interesting corner case. As far as I understand, --up runs before setuid, so that should always succeed - but if you do that, cleaning up resolv.conf in --down won't succeed. That is actually correct, and to be honest I didn't think about the order of when running as client. We could "fix" --down now, but I will not recommend it at all. We could add the CAP_DAC_OVERRIDE capability. But that's a massive sledge hammer, giving read/write access to any file on the system. Only security modules like SELinux, AppArmor and such can block access with this capability enabled. So this is definitely not the right capability to have in the main OpenVPN process now. -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] Retain CAP_NET_ADMIN when dropping privileges
On 30/03/2022 22:55, Timo Rothenpieler wrote: --- Using libcap-ng now configure.ac | 19 + distro/systemd/openvpn-cli...@.service.in | 2 +- distro/systemd/openvpn-ser...@.service.in | 2 +- src/openvpn/init.c| 25 ++- src/openvpn/platform.c| 91 +++ src/openvpn/platform.h| 5 ++ 6 files changed, 140 insertions(+), 4 deletions(-) Since I worked closely with Timo on this patch version, I don't feel I should give it an ACK verdict alone. But I believe this is the right patch to include. I will just suggest a commit message: -- platform: Retain CAP_NET_ADMIN when dropping privileges On Linux, when dropping privileges, interaction with the network configuration, such as tearing down routes or ovpn-dco interfaces will fail when --user/--group are used. This patch set sets the CAP_NET_ADMIN capability, which grants the needed privileges during the lifetime of the OpenVPN process when dropping root privileges. Signed-off-by: Timo Rothenpieler Reviewed-By: David Sommerseth -- I have otherwise tested this patch on a Rocky Linux 8 distribution. Client test cases I ran when testing this was: * from the command line, with and without DCO * via systemd, with and without DCO With these 4 test cases, each of them were run with combinations of * no --user/--group * only --user * only --group * both --user and --group I've also run a few tests using an --up script which modified /etc/resolv.conf, which also worked as expected with capabilities enabled. There were no unexpected behavior with this final patch set, with one special exception which is outside the scope of this patch - SELinux. SELinux on Fedora and RHEL (which Rocky Linux inherits) denies the OpenVPN process when run via systemd to use the SET_PCAP capability. In addition, the SELinux reference policy also denies all interactions with the Generic Netlink interfaces used by ovpn-dco. I will follow up this with the upstream SELinux reference policy maintainers. Package maintainers needing SELinux can in the mean time, until an updated SELinux policy is available, provide an additional SELinux module which grants the needed privileges to openvpn_t labelled processes. -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] Retain CAP_NET_ADMIN when dropping privileges
On 31/03/2022 13:34, Gert Doering wrote: Hi, On Thu, Mar 31, 2022 at 01:29:28PM +0200, Timo Rothenpieler wrote: That's exactly what the patch does. Which I very much like :-) (I said that on IRC already, repeating here for the list archive) Only difference is that for sitnl, to avoid breaking existing setups, it will fall back to the old approach of switching user if the capability retaining approach failed. I'm a bit undecided if this is really something to worry about... but then, in an existing and working systemd environment with reduced capabilities it might break setups going 2.5 -> 2.6, so maybe "being careful about things" is the better way :-) Yeah, I agree with this. For v2.6, the time is too short to be dare too much potential breakage now. But we can consider further steps with v2.7. -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] Retain CAP_NET_ADMIN when dropping privileges
openvpn3-serivce-client) runs completely unprivileged, but gets its tun/ovpn-dco interface created by openvpn3-service-netcfg and the client passes VPN IP address, routes and DNS settings to this netcfg service which applies these changes. The netcfg service runs as openvpn:openvpn with CAP_NET_ADMIN (and a few optional other ones, depending on the system setup) and can only be approached by openvpn3-service-client processes. The rest of the OpenVPN 3 Linux stack runs completely unprivileged. On systems with SELinux enabled, both openvpn3-service-client and openvpn3-service-netcfg runs confined in their own separate SELinux contexts, with a strict policy what each of them can do. I am willing to work on making the netcfg service even less "OpenVPN 3 centric", and it has a potential to grow towards a generic VPN API on Linux. The current D-Bus interface it uses is highly inspired by the Android VPN API. But this won't happen in a short time and not in time for the OpenVPN 2.6 release. This is probably something which is more realistic for OpenVPN 2.8. But this needs to be discussed more thoroughly (next hackathon?). -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Retain CAP_NET_ADMIN when dropping privileges
On 30/03/2022 10:51, David Sommerseth wrote: On 29/03/2022 21:29, Timo Rothenpieler wrote: --- This patch sits on top of the current dco branch, and will not apply to latest master. It solves the issue of dropping root privileges breaking dco and sitnl due to missing NET_ADMIN capabilities. configure.ac | 3 ++ src/openvpn/init.c | 22 +- src/openvpn/platform.c | 65 +- src/openvpn/platform.h | 2 +- 4 files changed, 89 insertions(+), 3 deletions(-) Thanks a lot! I've quickly looked through the code, and I have to NAK this approach: +#ifdef HAVE_LINUX_CAPABILITIES +#define SET_CAP_HELPER(data, set, cap) data[(cap)>>5].set |= 1<<((cap)&31) + +static bool +do_keep_caps(bool prepare) +{ + struct __user_cap_header_struct cap_hdr = { _LINUX_CAPABILITY_VERSION_3 }; + struct __user_cap_data_struct cap_data[_LINUX_CAPABILITY_U32S_3] = {}; + + if (syscall(SYS_capget, &cap_hdr, cap_data) < 0) We should really use libcap or libcap-ng and not avoid using syscalls directly. This did not come out well. Sorry about that. We should really avoid using syscalls directly, as that binds us to certain APIs and bindings. Newer kernels may also require additional adjustments in the future, to preserve the same behaviour. Which means we need to maintain this code and also pay more attention to the security aspects of privilege management, like new vulnerabilities and exploits. The libcap or libcap-ng libraries are used by far more applications, doing similar privilege management - and these libraries already pay attention to the security aspects of new vulnerabilities and exploits. The libcap-ng library is also recommended by more developers, due to its simpler API. It is possible to argue that sitnl does low-level calls to the kernel as well. But potential libraries had an API which was making everything far more complex on the OpenVPN side. For libcap-ng at least, that is not the case; as the API it provides is pretty simple. I have used libcap-ng in openvpn3-linux, both for preserving capabilities and dropping root. It does all the right steps fairly easily. The configure.ac detection, which for OpenVPN 2.x can be restricted when DCO is going to be built into openvpn: <https://github.com/OpenVPN/openvpn3-linux/blob/master/configure.ac#L113> The code for preserving capabilities: <https://github.com/OpenVPN/openvpn3-linux/blob/c40218df43c8e652fedfa70304eae797b305e780/src/netcfg/openvpn3-service-netcfg.cpp#L82> And the code for dropping root, ensuring the capabilities are restricted properly: <https://github.com/OpenVPN/openvpn3-linux/blob/c40218df43c8e652fedfa70304eae797b305e780/src/netcfg/openvpn3-service-netcfg.cpp#L64> -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Retain CAP_NET_ADMIN when dropping privileges
On 29/03/2022 21:29, Timo Rothenpieler wrote: --- This patch sits on top of the current dco branch, and will not apply to latest master. It solves the issue of dropping root privileges breaking dco and sitnl due to missing NET_ADMIN capabilities. configure.ac | 3 ++ src/openvpn/init.c | 22 +- src/openvpn/platform.c | 65 +- src/openvpn/platform.h | 2 +- 4 files changed, 89 insertions(+), 3 deletions(-) Thanks a lot! I've quickly looked through the code, and I have to NAK this approach: +#ifdef HAVE_LINUX_CAPABILITIES +#define SET_CAP_HELPER(data, set, cap) data[(cap)>>5].set |= 1<<((cap)&31) + +static bool +do_keep_caps(bool prepare) +{ +struct __user_cap_header_struct cap_hdr = { _LINUX_CAPABILITY_VERSION_3 }; +struct __user_cap_data_struct cap_data[_LINUX_CAPABILITY_U32S_3] = {}; + +if (syscall(SYS_capget, &cap_hdr, cap_data) < 0) We should really use libcap or libcap-ng and not avoid using syscalls directly. I have used libcap-ng in openvpn3-linux, both for preserving capabilities and dropping root. It does all the right steps fairly easily. The configure.ac detection, which for OpenVPN 2.x can be restricted when DCO is going to be built into openvpn: <https://github.com/OpenVPN/openvpn3-linux/blob/master/configure.ac#L113> The code for preserving capabilities: <https://github.com/OpenVPN/openvpn3-linux/blob/c40218df43c8e652fedfa70304eae797b305e780/src/netcfg/openvpn3-service-netcfg.cpp#L82> And the code for dropping root, ensuring the capabilities are restricted properly: <https://github.com/OpenVPN/openvpn3-linux/blob/c40218df43c8e652fedfa70304eae797b305e780/src/netcfg/openvpn3-service-netcfg.cpp#L64> -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2.4 v5 1/3] sample-plugin: New plugin for testing multiple auth plugins
From: David Sommerseth This plugin allows setting username/passwords as well as configure deferred authentication behaviour as part of the runtime initialization. With this plug-in it is easier to test various scenarios where multiple authentication plug-ins are active on the server side. A test documentation was also added to describe various test cases and the expected results. Signed-off-by: David Sommerseth --- v3 - Flipped NULL==var/NULL!=var to (var)/(!var) in if() block --- doc/tests/authentication-plugins.md | 153 + sample/sample-plugins/defer/README | 8 + sample/sample-plugins/defer/multi-auth.c | 413 +++ 3 files changed, 574 insertions(+) create mode 100644 doc/tests/authentication-plugins.md create mode 100644 sample/sample-plugins/defer/multi-auth.c diff --git a/doc/tests/authentication-plugins.md b/doc/tests/authentication-plugins.md new file mode 100644 index ..1f5fb851 --- /dev/null +++ b/doc/tests/authentication-plugins.md @@ -0,0 +1,153 @@ +# TESTING OF MULTIPLE AUTHENTICATION PLUG-INS + + +OpenVPN 2.x can support loading and authenticating users through multiple +plug-ins at the same time. But it can only support a single plug-in doing +deferred authentication. However, a plug-in supporting deferred +authentication may be accompanied by other authentication plug-ins **not** +doing deferred authentication. + +This is a test script useful to test the various combinations and order of +plug-in execution. + +The configuration files are expected to be used from the root of the build +directory. + +To build the needed authentication plug-in, run: + + make -C sample/sample-plugins + + +## Test configs + +* Client config + + verb 4 + dev tun + client + remote x.x.x.x + ca sample/sample-keys/ca.crt + cert sample/sample-keys/client.crt + key sample/sample-keys/client.key + auth-user-pass + +* Base server config (`base-server.conf`) + + verb 4 + dev tun + server 10.8.0.0 255.255.255.0 + dh sample/sample-keys/dh2048.pem + ca sample/sample-keys/ca.crt + cert sample/sample-keys/server.crt + key sample/sample-keys/server.key + + +## Test cases + +### Test: *sanity-1* + +This tests the basic authentication with an instant answer. + + config base-server.conf + plugin multi-auth.so S1.1 0 foo bar + + Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *sanity-2* + +This is similar to `sanity-1`, but does the authentication +through two plug-ins providing an instant reply. + + config base-server.conf + plugin multi-auth.so S2.1 0 foo bar + plugin multi-auth.so S2.2 0 foo bar + + Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *sanity-3* + +This is also similar to `sanity-1`, but uses deferred authentication +with a 1 second delay on the response. + + plugin multi-auth.so S3.1 1000 foo bar + + Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *case-a* + +Runs two authentications, the first one deferred by 1 second and the +second one providing an instant response. + + plugin multi-auth.so A.1 1000 foo bar + plugin multi-auth.so A.2 0 foo bar + + Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *case-b* + +This is similar to `case-a`, but the instant authentication response +is provided first before the deferred authentication. + + plugin multi-auth.so B.1 0 foo bar + plugin multi-auth.so B.2 1000 test pass + + Expected results + - **Always FAIL** + - This test should never pass, as each plug-in expects different + usernames and passwords. + + +### Test: *case-c* + +This is similar to the two prior tests, but the authentication result +is returned instantly in both steps. + + plugin multi-auth.so C.1 0 foo bar + plugin multi-auth.so C.2 0 foo2 bar2 + + Expected results + - **Always FAIL** + - This test should never pass, as each plug-in expects different + usernames and passwords. + + +### Test: *case-d* + +This is similar to the `case-b` test, but the order of deferred +and instant response is reversed. + +plugin ./multi-auth.so D.1 2000 test pass +plugin ./multi-auth.so D.2 0 foo bar + + Expected results + - **Always FAIL** + - This test should never pass, as each plug-in expects different + usernames and passwords. + + +### Test: *case-e* + +This test case will run two deferred authentication plug-ins. This is +**not** supported by OpenVPN, and should therefore fail instantly. + +plugin ./multi-auth.so E1 1000 test1 pass1 +plugin ./multi-auth.so E2 2000 test2 pass2 + + Expected results + - The OpenVPN server process should stop running + - An error about multiple deferred plug-ins being configured + should be seen in the server log. + + diff --git
[Openvpn-devel] [PATCH v2.4 v5 2/3] plug-ins: Disallow multiple deferred authentication plug-ins
From: David Sommerseth The plug-in API in OpenVPN 2.x is not designed for running multiple deferred authentication processes in parallel. The authentication results of such configurations are not to be trusted. For now we bail out when this discovered with an error in the log. CVE: 2022-0547 Signed-off-by: David Sommerseth --- Note: The man page snippet is copied from the generated nroff formatting from the git master generated man page. v3 - flip CONSTANT==var to var==CONSTANT in if() clause v4 - Use M_FATAL instead of M_ERR v5 - Fix missing ) in if() clause --- doc/openvpn.8| 13 + src/openvpn/plugin.c | 33 ++--- 2 files changed, 43 insertions(+), 3 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 598d5fce..a6a5feb6 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -2805,6 +2805,19 @@ function (such as tls\-verify, auth\-user\-pass\-verify, or client\-connect), then every module and script must return success (0) in order for the connection to be authenticated. + +.INDENT 7.0 +.TP +.B \fBWARNING\fP: +Plug\-ins may do deferred execution, meaning the plug\-in will +return the control back to the main OpenVPN process and provide +the plug\-in result later on via a different thread or process. +OpenVPN does \fBNOT\fP support multiple authentication plug\-ins +\fBwhere more than one of them\fP do deferred authentication. +If this behaviour is detected, OpenVPN will shut down upon first +authentication. +.UNINDENT +.UNINDENT .\"* .TP .B \-\-keying\-material\-exporter label len diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c index 0ab99ab5..a019ec77 100644 --- a/src/openvpn/plugin.c +++ b/src/openvpn/plugin.c @@ -809,7 +809,7 @@ plugin_call_ssl(const struct plugin_list *pl, const int n = plugin_n(pl); bool success = false; bool error = false; -bool deferred = false; +bool deferred_auth_done = false; setenv_del(es, "script_type"); envp = make_env_array(es, false, &gc); @@ -834,7 +834,34 @@ plugin_call_ssl(const struct plugin_list *pl, break; case OPENVPN_PLUGIN_FUNC_DEFERRED: -deferred = true; +if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) +&& deferred_auth_done) +{ +/* + * Do not allow deferred auth if a deferred auth has + * already been started. This should allow a single + * deferred auth call to happen, with one or more + * auth calls with an instant authentication result. + * + * The plug-in API is not designed for multiple + * deferred authentications to happen, as the + * auth_control_file file will be shared across all + * the plug-ins. + * + * Since this is considered a critical configuration + * error, we bail out and exit the OpenVPN process. + */ +error = true; +msg(M_FATAL, +"Exiting due to multiple authentication plug-ins " +"performing deferred authentication. Only one " +"authentication plug-in doing deferred auth is " +"allowed. Ignoring the result and stopping now, " +"the current authentication result is not to be " +"trusted."); +break; +} +deferred_auth_done = true; break; default: @@ -858,7 +885,7 @@ plugin_call_ssl(const struct plugin_list *pl, { return OPENVPN_PLUGIN_FUNC_ERROR; } -else if (deferred) +else if (deferred_auth_done) { return OPENVPN_PLUGIN_FUNC_DEFERRED; } -- 2.27.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2.4 v5 3/3] plug-ins: Remove defer/simple.c sample plugin
From: David Sommerseth The use case for this plug-in is dubious now with the new multi-auth.c plugin available. This new plugin is based on simple.c, but allows far more flexibility for testing. Signed-off-by: David Sommerseth --- sample/sample-plugins/defer/README | 3 - sample/sample-plugins/defer/simple.c | 541 - sample/sample-plugins/defer/simple.def | 6 - 3 files changed, 550 deletions(-) delete mode 100644 sample/sample-plugins/defer/simple.c delete mode 100755 sample/sample-plugins/defer/simple.def diff --git a/sample/sample-plugins/defer/README b/sample/sample-plugins/defer/README index 4c032993..b20f4eea 100644 --- a/sample/sample-plugins/defer/README +++ b/sample/sample-plugins/defer/README @@ -2,9 +2,6 @@ OpenVPN plugin examples. Examples provided: -simple.c -- using the --auth-user-pass-verify callback, -test deferred authentication. - multi-auth.c -- Test plug-in for testing multiple authentication plug-ins in the same OpenVPN server configuration. Only tested on Linux. diff --git a/sample/sample-plugins/defer/simple.c b/sample/sample-plugins/defer/simple.c deleted file mode 100644 index 6f08bedd.. --- a/sample/sample-plugins/defer/simple.c +++ /dev/null @@ -1,541 +0,0 @@ -/* - * OpenVPN -- An application to securely tunnel IP networks - * over a single TCP/UDP port, with support for SSL/TLS-based - * session authentication and key exchange, - * packet encryption, packet authentication, and - * packet compression. - * - * Copyright (C) 2002-2018 OpenVPN Inc - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - */ - -/* - * This file implements a simple OpenVPN plugin module which - * will test deferred authentication and packet filtering. - * - * Will run on Windows or *nix. - * - * Sample usage: - * - * setenv test_deferred_auth 20 - * setenv test_packet_filter 10 - * plugin plugin/defer/simple.so - * - * This will enable deferred authentication to occur 20 - * seconds after the normal TLS authentication process, - * and will cause a packet filter file to be generated 10 - * seconds after the initial TLS negotiation, using - * {common-name}.pf as the source. - * - * Sample packet filter configuration: - * - * [CLIENTS DROP] - * +otherclient - * [SUBNETS DROP] - * +10.0.0.0/8 - * -10.10.0.8 - * [END] - * - * See the README file for build instructions. - */ - -#include -#include -#include -#include -#include -#include -#include -#include - -#include "openvpn-plugin.h" - -/* Pointers to functions exported from openvpn */ -static plugin_log_t plugin_log = NULL; - -/* - * Constants indicating minimum API and struct versions by the functions - * in this plugin. Consult openvpn-plugin.h, look for: - * OPENVPN_PLUGIN_VERSION and OPENVPN_PLUGINv3_STRUCTVER - * - * Strictly speaking, this sample code only requires plugin_log, a feature - * of structver version 1. However, '1' lines up with ancient versions - * of openvpn that are past end-of-support. As such, we are requiring - * structver '5' here to indicate a desire for modern openvpn, rather - * than a need for any particular feature found in structver beyond '1'. - */ -#define OPENVPN_PLUGIN_VERSION_MIN 3 -#define OPENVPN_PLUGIN_STRUCTVER_MIN 5 - -/* - * Our context, where we keep our state. - */ - -struct plugin_context { -int test_deferred_auth; -int test_packet_filter; -}; - -struct plugin_per_client_context { -int n_calls; -bool generated_pf_file; -}; - -/* module name for plugin_log() */ -static char *MODULE = "defer/simple"; - -/* - * Given an environmental variable name, search - * the envp array for its value, returning it - * if found or NULL otherwise. - */ -static const char * -get_env(const char *name, const char *envp[]) -{ -if (envp) -{ -int i; -const int namelen = strlen(name); -for (i = 0; envp[i]; ++i) -{ -if (!strncmp(envp[i], name, namelen)) -{ -const char *cp = envp[i] + namelen; -if (*cp == '=') -{ -return cp + 1; -} -} -} -} -return NULL; -} - -/* used for safe printf of possible NULL strings
[Openvpn-devel] [PATCH v2.4 v5 0/3] Disable multiple deferred authentication plug-ins
From: David Sommerseth This is the same patch set as the v4 [1] patch set, just without the embarrassing syntax error in the second patch. [1] <https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23935.html> Message-Id: 20220313200715.13518-1-open...@sf.lists.topphemmelig.net David Sommerseth (3): sample-plugin: New plugin for testing multiple auth plugins plug-ins: Disallow multiple deferred authentication plug-ins plug-ins: Remove defer/simple.c sample plugin doc/openvpn.8| 13 + doc/tests/authentication-plugins.md | 153 +++ sample/sample-plugins/defer/README | 9 +- sample/sample-plugins/defer/multi-auth.c | 413 + sample/sample-plugins/defer/simple.c | 541 --- sample/sample-plugins/defer/simple.def | 6 - src/openvpn/plugin.c | 33 +- 7 files changed, 616 insertions(+), 552 deletions(-) create mode 100644 doc/tests/authentication-plugins.md create mode 100644 sample/sample-plugins/defer/multi-auth.c delete mode 100644 sample/sample-plugins/defer/simple.c delete mode 100755 sample/sample-plugins/defer/simple.def -- 2.27.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2.4 v4 3/3] plug-ins: Remove defer/simple.c sample plugin
From: David Sommerseth The use case for this plug-in is dubious now with the new multi-auth.c plugin available. This new plugin is based on simple.c, but allows far more flexibility for testing. Signed-off-by: David Sommerseth --- sample/sample-plugins/defer/README | 3 - sample/sample-plugins/defer/simple.c | 541 - sample/sample-plugins/defer/simple.def | 6 - 3 files changed, 550 deletions(-) delete mode 100644 sample/sample-plugins/defer/simple.c delete mode 100755 sample/sample-plugins/defer/simple.def diff --git a/sample/sample-plugins/defer/README b/sample/sample-plugins/defer/README index 4c032993..b20f4eea 100644 --- a/sample/sample-plugins/defer/README +++ b/sample/sample-plugins/defer/README @@ -2,9 +2,6 @@ OpenVPN plugin examples. Examples provided: -simple.c -- using the --auth-user-pass-verify callback, -test deferred authentication. - multi-auth.c -- Test plug-in for testing multiple authentication plug-ins in the same OpenVPN server configuration. Only tested on Linux. diff --git a/sample/sample-plugins/defer/simple.c b/sample/sample-plugins/defer/simple.c deleted file mode 100644 index 6f08bedd.. --- a/sample/sample-plugins/defer/simple.c +++ /dev/null @@ -1,541 +0,0 @@ -/* - * OpenVPN -- An application to securely tunnel IP networks - * over a single TCP/UDP port, with support for SSL/TLS-based - * session authentication and key exchange, - * packet encryption, packet authentication, and - * packet compression. - * - * Copyright (C) 2002-2018 OpenVPN Inc - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - */ - -/* - * This file implements a simple OpenVPN plugin module which - * will test deferred authentication and packet filtering. - * - * Will run on Windows or *nix. - * - * Sample usage: - * - * setenv test_deferred_auth 20 - * setenv test_packet_filter 10 - * plugin plugin/defer/simple.so - * - * This will enable deferred authentication to occur 20 - * seconds after the normal TLS authentication process, - * and will cause a packet filter file to be generated 10 - * seconds after the initial TLS negotiation, using - * {common-name}.pf as the source. - * - * Sample packet filter configuration: - * - * [CLIENTS DROP] - * +otherclient - * [SUBNETS DROP] - * +10.0.0.0/8 - * -10.10.0.8 - * [END] - * - * See the README file for build instructions. - */ - -#include -#include -#include -#include -#include -#include -#include -#include - -#include "openvpn-plugin.h" - -/* Pointers to functions exported from openvpn */ -static plugin_log_t plugin_log = NULL; - -/* - * Constants indicating minimum API and struct versions by the functions - * in this plugin. Consult openvpn-plugin.h, look for: - * OPENVPN_PLUGIN_VERSION and OPENVPN_PLUGINv3_STRUCTVER - * - * Strictly speaking, this sample code only requires plugin_log, a feature - * of structver version 1. However, '1' lines up with ancient versions - * of openvpn that are past end-of-support. As such, we are requiring - * structver '5' here to indicate a desire for modern openvpn, rather - * than a need for any particular feature found in structver beyond '1'. - */ -#define OPENVPN_PLUGIN_VERSION_MIN 3 -#define OPENVPN_PLUGIN_STRUCTVER_MIN 5 - -/* - * Our context, where we keep our state. - */ - -struct plugin_context { -int test_deferred_auth; -int test_packet_filter; -}; - -struct plugin_per_client_context { -int n_calls; -bool generated_pf_file; -}; - -/* module name for plugin_log() */ -static char *MODULE = "defer/simple"; - -/* - * Given an environmental variable name, search - * the envp array for its value, returning it - * if found or NULL otherwise. - */ -static const char * -get_env(const char *name, const char *envp[]) -{ -if (envp) -{ -int i; -const int namelen = strlen(name); -for (i = 0; envp[i]; ++i) -{ -if (!strncmp(envp[i], name, namelen)) -{ -const char *cp = envp[i] + namelen; -if (*cp == '=') -{ -return cp + 1; -} -} -} -} -return NULL; -} - -/* used for safe printf of possible NULL strings
[Openvpn-devel] [PATCH v2.4 v4 2/3] plug-ins: Disallow multiple deferred authentication plug-ins
From: David Sommerseth The plug-in API in OpenVPN 2.x is not designed for running multiple deferred authentication processes in parallel. The authentication results of such configurations are not to be trusted. For now we bail out when this discovered with an error in the log. CVE: 2022-0547 Signed-off-by: David Sommerseth --- Note: The man page snippet is copied from the generated nroff formatting from the git master generated man page. v3 - flip CONSTANT==var to var==CONSTANT in if() clause v4 - Use M_FATAL instead of M_ERR --- doc/openvpn.8| 13 + src/openvpn/plugin.c | 33 ++--- 2 files changed, 43 insertions(+), 3 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 598d5fce..a6a5feb6 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -2805,6 +2805,19 @@ function (such as tls\-verify, auth\-user\-pass\-verify, or client\-connect), then every module and script must return success (0) in order for the connection to be authenticated. + +.INDENT 7.0 +.TP +.B \fBWARNING\fP: +Plug\-ins may do deferred execution, meaning the plug\-in will +return the control back to the main OpenVPN process and provide +the plug\-in result later on via a different thread or process. +OpenVPN does \fBNOT\fP support multiple authentication plug\-ins +\fBwhere more than one of them\fP do deferred authentication. +If this behaviour is detected, OpenVPN will shut down upon first +authentication. +.UNINDENT +.UNINDENT .\"* .TP .B \-\-keying\-material\-exporter label len diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c index 0ab99ab5..76d1b2e5 100644 --- a/src/openvpn/plugin.c +++ b/src/openvpn/plugin.c @@ -809,7 +809,7 @@ plugin_call_ssl(const struct plugin_list *pl, const int n = plugin_n(pl); bool success = false; bool error = false; -bool deferred = false; +bool deferred_auth_done = false; setenv_del(es, "script_type"); envp = make_env_array(es, false, &gc); @@ -834,7 +834,34 @@ plugin_call_ssl(const struct plugin_list *pl, break; case OPENVPN_PLUGIN_FUNC_DEFERRED: -deferred = true; +if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY +&& deferred_auth_done) +{ +/* + * Do not allow deferred auth if a deferred auth has + * already been started. This should allow a single + * deferred auth call to happen, with one or more + * auth calls with an instant authentication result. + * + * The plug-in API is not designed for multiple + * deferred authentications to happen, as the + * auth_control_file file will be shared across all + * the plug-ins. + * + * Since this is considered a critical configuration + * error, we bail out and exit the OpenVPN process. + */ +error = true; +msg(M_FATAL, +"Exiting due to multiple authentication plug-ins " +"performing deferred authentication. Only one " +"authentication plug-in doing deferred auth is " +"allowed. Ignoring the result and stopping now, " +"the current authentication result is not to be " +"trusted."); +break; +} +deferred_auth_done = true; break; default: @@ -858,7 +885,7 @@ plugin_call_ssl(const struct plugin_list *pl, { return OPENVPN_PLUGIN_FUNC_ERROR; } -else if (deferred) +else if (deferred_auth_done) { return OPENVPN_PLUGIN_FUNC_DEFERRED; } -- 2.27.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2.4 v4 1/3] sample-plugin: New plugin for testing multiple auth plugins
From: David Sommerseth This plugin allows setting username/passwords as well as configure deferred authentication behaviour as part of the runtime initialization. With this plug-in it is easier to test various scenarios where multiple authentication plug-ins are active on the server side. A test documentation was also added to describe various test cases and the expected results. Signed-off-by: David Sommerseth --- v3 - Flipped NULL==var/NULL!=var to (var)/(!var) in if() block --- doc/tests/authentication-plugins.md | 153 + sample/sample-plugins/defer/README | 8 + sample/sample-plugins/defer/multi-auth.c | 413 +++ 3 files changed, 574 insertions(+) create mode 100644 doc/tests/authentication-plugins.md create mode 100644 sample/sample-plugins/defer/multi-auth.c diff --git a/doc/tests/authentication-plugins.md b/doc/tests/authentication-plugins.md new file mode 100644 index ..1f5fb851 --- /dev/null +++ b/doc/tests/authentication-plugins.md @@ -0,0 +1,153 @@ +# TESTING OF MULTIPLE AUTHENTICATION PLUG-INS + + +OpenVPN 2.x can support loading and authenticating users through multiple +plug-ins at the same time. But it can only support a single plug-in doing +deferred authentication. However, a plug-in supporting deferred +authentication may be accompanied by other authentication plug-ins **not** +doing deferred authentication. + +This is a test script useful to test the various combinations and order of +plug-in execution. + +The configuration files are expected to be used from the root of the build +directory. + +To build the needed authentication plug-in, run: + + make -C sample/sample-plugins + + +## Test configs + +* Client config + + verb 4 + dev tun + client + remote x.x.x.x + ca sample/sample-keys/ca.crt + cert sample/sample-keys/client.crt + key sample/sample-keys/client.key + auth-user-pass + +* Base server config (`base-server.conf`) + + verb 4 + dev tun + server 10.8.0.0 255.255.255.0 + dh sample/sample-keys/dh2048.pem + ca sample/sample-keys/ca.crt + cert sample/sample-keys/server.crt + key sample/sample-keys/server.key + + +## Test cases + +### Test: *sanity-1* + +This tests the basic authentication with an instant answer. + + config base-server.conf + plugin multi-auth.so S1.1 0 foo bar + + Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *sanity-2* + +This is similar to `sanity-1`, but does the authentication +through two plug-ins providing an instant reply. + + config base-server.conf + plugin multi-auth.so S2.1 0 foo bar + plugin multi-auth.so S2.2 0 foo bar + + Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *sanity-3* + +This is also similar to `sanity-1`, but uses deferred authentication +with a 1 second delay on the response. + + plugin multi-auth.so S3.1 1000 foo bar + + Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *case-a* + +Runs two authentications, the first one deferred by 1 second and the +second one providing an instant response. + + plugin multi-auth.so A.1 1000 foo bar + plugin multi-auth.so A.2 0 foo bar + + Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *case-b* + +This is similar to `case-a`, but the instant authentication response +is provided first before the deferred authentication. + + plugin multi-auth.so B.1 0 foo bar + plugin multi-auth.so B.2 1000 test pass + + Expected results + - **Always FAIL** + - This test should never pass, as each plug-in expects different + usernames and passwords. + + +### Test: *case-c* + +This is similar to the two prior tests, but the authentication result +is returned instantly in both steps. + + plugin multi-auth.so C.1 0 foo bar + plugin multi-auth.so C.2 0 foo2 bar2 + + Expected results + - **Always FAIL** + - This test should never pass, as each plug-in expects different + usernames and passwords. + + +### Test: *case-d* + +This is similar to the `case-b` test, but the order of deferred +and instant response is reversed. + +plugin ./multi-auth.so D.1 2000 test pass +plugin ./multi-auth.so D.2 0 foo bar + + Expected results + - **Always FAIL** + - This test should never pass, as each plug-in expects different + usernames and passwords. + + +### Test: *case-e* + +This test case will run two deferred authentication plug-ins. This is +**not** supported by OpenVPN, and should therefore fail instantly. + +plugin ./multi-auth.so E1 1000 test1 pass1 +plugin ./multi-auth.so E2 2000 test2 pass2 + + Expected results + - The OpenVPN server process should stop running + - An error about multiple deferred plug-ins being configured + should be seen in the server log. + + diff --git
[Openvpn-devel] [PATCH v2.4 v4 0/3] Disable multiple deferred authentication plug-ins
From: David Sommerseth This is an adopted version of [0] for the OpenVPN 2.4 release branch. It was discovered an issue with OpenVPN 2.x when multiple --plugin modules were loaded and more than one of them used deferred authentication. To fix this properly will require a larger refactoring of the plug-in code, so it was decided in the mean time to disable the possibility to run an OpenVPN server with such a setup. This issue affects the OpenVPN server mode only. This patch set adds a new test plug-in and adds some test documentation on how to test various combinations of authentication plug-ins. Since this new plug-in (multi-auth.c) is fairly close to the simple.c plug-in, just more flexible for test setups, we remove the old one. The fix itself is isolated in a separate patch in this set. The order of patches are insignificant; there are no inter-dependencies between them. [0] <https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23934.html> Message-ID: <20220313193154.9350-1-open...@sf.lists.topphemmelig.net> -- kind regards, David Sommerseth OpenVPN Inc David Sommerseth (3): sample-plugin: New plugin for testing multiple auth plugins plug-ins: Disallow multiple deferred authentication plug-ins plug-ins: Remove defer/simple.c sample plugin doc/openvpn.8| 13 + doc/tests/authentication-plugins.md | 153 +++ sample/sample-plugins/defer/README | 9 +- sample/sample-plugins/defer/multi-auth.c | 413 + sample/sample-plugins/defer/simple.c | 541 --- sample/sample-plugins/defer/simple.def | 6 - src/openvpn/plugin.c | 33 +- 7 files changed, 616 insertions(+), 552 deletions(-) create mode 100644 doc/tests/authentication-plugins.md create mode 100644 sample/sample-plugins/defer/multi-auth.c delete mode 100644 sample/sample-plugins/defer/simple.c delete mode 100755 sample/sample-plugins/defer/simple.def -- 2.27.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v4 3/3] plugins: Remove defer/simple.c sample plugin
From: David Sommerseth The use case for this plug-in is dubious now with the new multi-auth.c plugin available. This new plugin is based on simple.c, but allows far more flexibility for testing. Signed-off-by: David Sommerseth --- include/openvpn-plugin.h.in| 4 +- sample/sample-plugins/Makefile.plugins | 1 - sample/sample-plugins/README | 6 +- sample/sample-plugins/defer/simple.c | 393 - sample/sample-plugins/defer/simple.def | 6 - 5 files changed, 6 insertions(+), 404 deletions(-) delete mode 100644 sample/sample-plugins/defer/simple.c delete mode 100755 sample/sample-plugins/defer/simple.def diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in index 087010a4..dc7c5306 100644 --- a/include/openvpn-plugin.h.in +++ b/include/openvpn-plugin.h.in @@ -584,8 +584,8 @@ OPENVPN_PLUGIN_DEF openvpn_plugin_handle_t OPENVPN_PLUGIN_FUNC(openvpn_plugin_op * * OpenVPN will delete the auth_control_file after it goes out of scope. * - * See plugin/defer/simple.c for an example on using asynchronous - * authentication. + * See sample/sample-plugins/defer/multi-auth.c for an example on using + * asynchronous authentication. */ OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_func_v2) (openvpn_plugin_handle_t handle, diff --git a/sample/sample-plugins/Makefile.plugins b/sample/sample-plugins/Makefile.plugins index 8bfbad09..917b02b6 100644 --- a/sample/sample-plugins/Makefile.plugins +++ b/sample/sample-plugins/Makefile.plugins @@ -7,7 +7,6 @@ # Plug-ins to build - listed entries should not carry any extensions # PLUGINS = \ - defer/simple \ defer/multi-auth \ keying-material-exporter-demo/keyingmaterialexporter \ log/log log/log_v3 \ diff --git a/sample/sample-plugins/README b/sample/sample-plugins/README index cf1b355e..356f603d 100644 --- a/sample/sample-plugins/README +++ b/sample/sample-plugins/README @@ -5,8 +5,10 @@ Examples provided: * authentication and logging simple/simple.c -- using the --auth-user-pass-verify callback, verify that the username/password is "foo"/"bar". -defer/simple.c -- using the --auth-user-pass-verify callback, - test deferred authentication. +defer/multi-auth.c +-- using the --auth-user-pass-verify callback, + test deferred authentication. Can be used to test multiple + authentication plugins in the same server config. log/log.c -- Extended variant of simple/simple.c which adds more logging of what is happening inside the plug-in log/log_v3.c-- A variant of log/log.c, which makes use of the diff --git a/sample/sample-plugins/defer/simple.c b/sample/sample-plugins/defer/simple.c deleted file mode 100644 index d2f614a5.. --- a/sample/sample-plugins/defer/simple.c +++ /dev/null @@ -1,393 +0,0 @@ -/* - * OpenVPN -- An application to securely tunnel IP networks - * over a single TCP/UDP port, with support for SSL/TLS-based - * session authentication and key exchange, - * packet encryption, packet authentication, and - * packet compression. - * - * Copyright (C) 2002-2022 OpenVPN Inc - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - */ - -/* - * This file implements a simple OpenVPN plugin module which - * will test deferred authentication and packet filtering. - * - * Will run on Windows or *nix. - * - * Sample usage: - * - * setenv test_deferred_auth 20 - * setenv test_packet_filter 10 - * plugin plugin/defer/simple.so - * - * This will enable deferred authentication to occur 20 - * seconds after the normal TLS authentication process, - * and will cause a packet filter file to be generated 10 - * seconds after the initial TLS negotiation, using - * {common-name}.pf as the source. - * - * Sample packet filter configuration: - * - * [CLIENTS DROP] - * +otherclient - * [SUBNETS DROP] - * +10.0.0.0/8 - * -10.10.0.8 - * [END] - * - * See the README file for build instructions. - */ - -#include -#include -#include -#include -#include -#include -#include -#include - -#include "openvpn-plugin.h" - -/* Pointers to functions exported from openvpn */ -static plugin_log_t plugin_log = NULL; - -/* - * Constants indicating mini
[Openvpn-devel] [PATCH v4 2/3] plug-ins: Disallow multiple deferred authentication plug-ins
From: David Sommerseth The plug-in API in OpenVPN 2.x is not designed for running multiple deferred authentication processes in parallel. The authentication results of such configurations are not to be trusted. For now we bail out when this discovered with an error in the log. CVE: 2022-0547 Signed-off-by: David Sommerseth --- v2 - flip CONSTANT==var to var==CONSTANT in if() clause v3 - Use M_FATAL instead of M_ERR --- doc/man-sections/plugin-options.rst | 9 src/openvpn/plugin.c| 33 ++--- 2 files changed, 39 insertions(+), 3 deletions(-) diff --git a/doc/man-sections/plugin-options.rst b/doc/man-sections/plugin-options.rst index 51c574fe..6cbbc2f3 100644 --- a/doc/man-sections/plugin-options.rst +++ b/doc/man-sections/plugin-options.rst @@ -55,3 +55,12 @@ plug-ins must be prebuilt and adhere to the OpenVPN Plug-In API. (such as tls-verify, auth-user-pass-verify, or client-connect), then every module and script must return success (:code:`0`) in order for the connection to be authenticated. + + **WARNING**: +Plug-ins may do deferred execution, meaning the plug-in will +return the control back to the main OpenVPN process and provide +the plug-in result later on via a different thread or process. +OpenVPN does **NOT** support multiple authentication plug-ins +**where more than one of them** do deferred authentication. +If this behaviour is detected, OpenVPN will shut down upon first +authentication. diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c index e3a89293..8236e29e 100644 --- a/src/openvpn/plugin.c +++ b/src/openvpn/plugin.c @@ -802,7 +802,7 @@ plugin_call_ssl(const struct plugin_list *pl, const char **envp; const int n = plugin_n(pl); bool error = false; -bool deferred = false; +bool deferred_auth_done = false; setenv_del(es, "script_type"); envp = make_env_array(es, false, &gc); @@ -824,7 +824,34 @@ plugin_call_ssl(const struct plugin_list *pl, break; case OPENVPN_PLUGIN_FUNC_DEFERRED: -deferred = true; +if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) +&& deferred_auth_done) +{ +/* + * Do not allow deferred auth if a deferred auth has + * already been started. This should allow a single + * deferred auth call to happen, with one or more + * auth calls with an instant authentication result. + * + * The plug-in API is not designed for multiple + * deferred authentications to happen, as the + * auth_control_file file will be shared across all + * the plug-ins. + * + * Since this is considered a critical configuration + * error, we bail out and exit the OpenVPN process. + */ +error = true; +msg(M_FATAL, +"Exiting due to multiple authentication plug-ins " +"performing deferred authentication. Only one " +"authentication plug-in doing deferred auth is " +"allowed. Ignoring the result and stopping now, " +"the current authentication result is not to be " +"trusted."); +break; +} +deferred_auth_done = true; break; default: @@ -844,7 +871,7 @@ plugin_call_ssl(const struct plugin_list *pl, { return OPENVPN_PLUGIN_FUNC_ERROR; } -else if (deferred) +else if (deferred_auth_done) { return OPENVPN_PLUGIN_FUNC_DEFERRED; } -- 2.27.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v4 1/3] sample-plugin: New plugin for testing multiple auth plugins
From: David Sommerseth This plugin allows setting username/passwords as well as configure deferred authentication behaviour as part of the runtime initialization. With this plug-in it is easier to test various scenarios where multiple authentication plug-ins are active on the server side. A test documentation was also added to describe various test cases and the expected results. Signed-off-by: David Sommerseth --- v2 - Flipped NULL==var to var==NULL --- doc/tests/authentication-plugins.md | 153 + sample/sample-plugins/Makefile.plugins | 1 + sample/sample-plugins/defer/multi-auth.c | 413 +++ 3 files changed, 567 insertions(+) create mode 100644 doc/tests/authentication-plugins.md create mode 100644 sample/sample-plugins/defer/multi-auth.c diff --git a/doc/tests/authentication-plugins.md b/doc/tests/authentication-plugins.md new file mode 100644 index ..1f5fb851 --- /dev/null +++ b/doc/tests/authentication-plugins.md @@ -0,0 +1,153 @@ +# TESTING OF MULTIPLE AUTHENTICATION PLUG-INS + + +OpenVPN 2.x can support loading and authenticating users through multiple +plug-ins at the same time. But it can only support a single plug-in doing +deferred authentication. However, a plug-in supporting deferred +authentication may be accompanied by other authentication plug-ins **not** +doing deferred authentication. + +This is a test script useful to test the various combinations and order of +plug-in execution. + +The configuration files are expected to be used from the root of the build +directory. + +To build the needed authentication plug-in, run: + + make -C sample/sample-plugins + + +## Test configs + +* Client config + + verb 4 + dev tun + client + remote x.x.x.x + ca sample/sample-keys/ca.crt + cert sample/sample-keys/client.crt + key sample/sample-keys/client.key + auth-user-pass + +* Base server config (`base-server.conf`) + + verb 4 + dev tun + server 10.8.0.0 255.255.255.0 + dh sample/sample-keys/dh2048.pem + ca sample/sample-keys/ca.crt + cert sample/sample-keys/server.crt + key sample/sample-keys/server.key + + +## Test cases + +### Test: *sanity-1* + +This tests the basic authentication with an instant answer. + + config base-server.conf + plugin multi-auth.so S1.1 0 foo bar + + Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *sanity-2* + +This is similar to `sanity-1`, but does the authentication +through two plug-ins providing an instant reply. + + config base-server.conf + plugin multi-auth.so S2.1 0 foo bar + plugin multi-auth.so S2.2 0 foo bar + + Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *sanity-3* + +This is also similar to `sanity-1`, but uses deferred authentication +with a 1 second delay on the response. + + plugin multi-auth.so S3.1 1000 foo bar + + Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *case-a* + +Runs two authentications, the first one deferred by 1 second and the +second one providing an instant response. + + plugin multi-auth.so A.1 1000 foo bar + plugin multi-auth.so A.2 0 foo bar + + Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *case-b* + +This is similar to `case-a`, but the instant authentication response +is provided first before the deferred authentication. + + plugin multi-auth.so B.1 0 foo bar + plugin multi-auth.so B.2 1000 test pass + + Expected results + - **Always FAIL** + - This test should never pass, as each plug-in expects different + usernames and passwords. + + +### Test: *case-c* + +This is similar to the two prior tests, but the authentication result +is returned instantly in both steps. + + plugin multi-auth.so C.1 0 foo bar + plugin multi-auth.so C.2 0 foo2 bar2 + + Expected results + - **Always FAIL** + - This test should never pass, as each plug-in expects different + usernames and passwords. + + +### Test: *case-d* + +This is similar to the `case-b` test, but the order of deferred +and instant response is reversed. + +plugin ./multi-auth.so D.1 2000 test pass +plugin ./multi-auth.so D.2 0 foo bar + + Expected results + - **Always FAIL** + - This test should never pass, as each plug-in expects different + usernames and passwords. + + +### Test: *case-e* + +This test case will run two deferred authentication plug-ins. This is +**not** supported by OpenVPN, and should therefore fail instantly. + +plugin ./multi-auth.so E1 1000 test1 pass1 +plugin ./multi-auth.so E2 2000 test2 pass2 + + Expected results + - The OpenVPN server process should stop running + - An error about multiple deferred plug-ins being configured + should be seen in the server log. + + diff --git a/sample/sample-plugins
[Openvpn-devel] [PATCH v4 0/3] Disable multiple deferred authentication
From: David Sommerseth It was discovered an issue with OpenVPN 2.x when multiple --plugin modules were loaded and more than one of them used deferred authentication. To fix this properly will require a larger refactoring of the plug-in code, so it was decided in the mean time to disable the possibility to run an OpenVPN server with such a setup. This issue affects the OpenVPN server mode only. This patch set adds a new test plug-in and adds some test documentation on how to test various combinations of authentication plug-ins. Since this new plug-in (multi-auth.c) is fairly close to the simple.c plug-in, just more flexible for test setups, we remove the old one. The fix itself is isolated in a separate patch in this set. The order of patches are insignificant; there are no inter-dependencies between them. -- kind regards, David Sommerseth OpenVPN Inc --- David Sommerseth (3): sample-plugin: New plugin for testing multiple auth plugins plug-ins: Disallow multiple deferred authentication plug-ins plugins: Remove defer/simple.c sample plugin doc/man-sections/plugin-options.rst | 9 + doc/tests/authentication-plugins.md | 153 +++ include/openvpn-plugin.h.in | 4 +- sample/sample-plugins/Makefile.plugins| 2 +- sample/sample-plugins/README | 6 +- .../defer/{simple.c => multi-auth.c} | 248 ++ sample/sample-plugins/defer/simple.def| 6 - src/openvpn/plugin.c | 33 ++- 8 files changed, 333 insertions(+), 128 deletions(-) create mode 100644 doc/tests/authentication-plugins.md rename sample/sample-plugins/defer/{simple.c => multi-auth.c} (61%) delete mode 100755 sample/sample-plugins/defer/simple.def -- 2.27.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] doc: cleanup for --data-ciphers and related
On 21/02/2022 12:19, Frank Lichtenheld wrote: - Fix various formatting inconsistencies - Explain what NCP means before using it. - Also replace some of the usages of NCP with the clearer "cipher negotiation". Signed-off-by: Frank Lichtenheld --- doc/man-sections/protocol-options.rst | 34 +-- 1 file changed, 17 insertions(+), 17 deletions(-) Only glared at changes, and they looks good to me. Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 3/3 v3] doc/options: clean up documentation for --proto and related options
On 15/02/2022 15:54, Frank Lichtenheld wrote: The family specific options were generally omitted. Cc: David Sommerseth Signed-off-by: Frank Lichtenheld --- doc/man-sections/client-options.rst | 10 ++ doc/man-sections/link-options.rst | 5 - src/openvpn/options.c | 17 + 3 files changed, 23 insertions(+), 9 deletions(-) v2: move #define around v3: reword --proto-force with input from David This looks good. Only glared at changes, and they looks good to me. Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 2/3 v2] doc: fix misc documentation issues
On 14/02/2022 18:33, Frank Lichtenheld wrote: - Broken/missing formatting - Make it obvious which arguments are optional Only the files touched have been reviewed, all other files likely have similar issues. Signed-off-by: Frank Lichtenheld --- doc/man-sections/client-options.rst | 4 ++-- doc/man-sections/generic-options.rst | 34 doc/man-sections/link-options.rst| 26 + src/openvpn/options.c| 2 +- 4 files changed, 43 insertions(+), 23 deletions(-) v2: remove some changes David disliked. Not that important. > Regards, -- Frank Lichtenheld Thanks! This time I've only glared at the changes in diff format, but they all look sane and good to me. Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 3/3 v2] doc/options: clean up documentation for --proto and related options
On 14/02/2022 13:41, Frank Lichtenheld wrote: David Sommerseth hat am 11.02.2022 21:39 geschrieben: On 10/02/2022 11:21, Frank Lichtenheld wrote: The family specific options were generally omitted. Signed-off-by: Frank Lichtenheld --- doc/man-sections/client-options.rst | 5 + doc/man-sections/link-options.rst | 5 - src/openvpn/options.c | 17 + 3 files changed, 18 insertions(+), 9 deletions(-) v2: move #define around diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index 73f1ea51..4c4a8707 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -198,6 +198,11 @@ configuration. When iterating through connection profiles, only consider profiles using protocol ``p`` (:code:`tcp` \| :code:`udp`). + Note that this specifically only affects the protocol, not the inet + family (i.e. IPv4 vs. IPv6). While the option actually accepts + values like :code:`udp6`, there is no difference to specifying + :code:`udp`. + [...] Perhaps something like the suggestion below might be somewhat clearer? Note that this specifically only affects the TCP/IP transport layer protocol (UDP/TCP), not the TCP/IP network layers (IPv4/IPv6). In practice it means it will only consider connection profiles using either TCP or UDP. This does not affect whether IPv4 or IPv6 is used as IP protocols. In this context, :code:`udp`, :code:`udp4` and :code:`udp6` are all considered the same. And similar with :code:`tcp`, :code:`tcp4` and :code:`tcp6` Thanks, I hate it ;) Seriously though, I find this too clunky. Yes, TCP/IP is technically the correct name, but isn't that even more confusing? Maybe we can find a compromise: Note that this specifically only filters by the transport layer protocol, i.e. UDP or TCP. This does not affect whether IPv4 or IPv6 is used as IP protocol. For implementation reasons the option accepts the :code:`4` and :code:`6` suffixes when specifying the protocol (i.e. :code:`udp4` / :code:`udp6` / :code:`tcp4` / :code:`tcp6`). However, these behave the same as without the suffix and should be avoided to prevent confusion. Thanks, that's better! Let's roll with that. -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 3/3 v2] doc/options: clean up documentation for --proto and related options
On 10/02/2022 11:21, Frank Lichtenheld wrote: The family specific options were generally omitted. Signed-off-by: Frank Lichtenheld --- doc/man-sections/client-options.rst | 5 + doc/man-sections/link-options.rst | 5 - src/openvpn/options.c | 17 + 3 files changed, 18 insertions(+), 9 deletions(-) v2: move #define around diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index 73f1ea51..4c4a8707 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -198,6 +198,11 @@ configuration. When iterating through connection profiles, only consider profiles using protocol ``p`` (:code:`tcp` \| :code:`udp`). + Note that this specifically only affects the protocol, not the inet + family (i.e. IPv4 vs. IPv6). While the option actually accepts + values like :code:`udp6`, there is no difference to specifying + :code:`udp`. + I'm sorry I didn't catch this at the previous round; somehow I mixed it with the --proto change below. The section above is related to --proto-force. May I suggest we clarify this text a bit more? As we have multiple definitions of protocol - whether it is the IP layer protocol or the TCP/UDP protocol on top of the IP layer. And in --proto we do indeed mix them up into a single option. Perhaps something like the suggestion below might be somewhat clearer? Note that this specifically only affects the TCP/IP transport layer protocol (UDP/TCP), not the TCP/IP network layers (IPv4/IPv6). In practice it means it will only consider connection profiles using either TCP or UDP. This does not affect whether IPv4 or IPv6 is used as IP protocols. In this context, :code:`udp`, :code:`udp4` and :code:`udp6` are all considered the same. And similar with :code:`tcp`, :code:`tcp4` and :code:`tcp6` The rest of the changes looks good now, and the relocation of the #define is better as well. -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 3/3] doc/options: clean up documentation for --proto and related options
On 09/12/2021 18:11, Frank Lichtenheld wrote: The family specific options were generally omitted. --- doc/man-sections/client-options.rst | 5 + doc/man-sections/link-options.rst | 5 - src/openvpn/options.c | 17 + 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index 3c0bce4b..3a836226 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -198,6 +198,11 @@ configuration. When iterating through connection profiles, only consider profiles using protocol ``p`` (:code:`tcp` \| :code:`udp`). + Note that this specifically only affects the protocol, not the inet + family (i.e. IPv4 vs. IPv6). While the option actually accepts + values like :code:`udp6`, there is no difference to specifying + :code:`udp`. + --pull This option must be used on a client which is connecting to a multi-client server. It indicates to OpenVPN that it should accept diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index 901751bb..a4c3166b 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -258,7 +258,10 @@ the local and the remote host. --proto p Use protocol ``p`` for communicating with remote host. ``p`` can be - :code:`udp`, :code:`tcp-client`, or :code:`tcp-server`. + :code:`udp`, :code:`tcp-client`, or :code:`tcp-server`. You can also + limit OpenVPN to use only IPv4 or only IPv6 by specifying ``p`` as + :code:`udp4`, :code:`tcp4-client`, :code:`tcp4-server` or :code:`udp6`, + :code:`tcp6-client`, :code:`tcp6-server`, respectively. The default protocol is :code:`udp` when ``--proto`` is not specified. diff --git a/src/openvpn/options.c b/src/openvpn/options.c index c1ec7ed0..c7cf3400 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -125,9 +125,11 @@ static const char usage_message[] = "--remote-random-hostname : Add a random string to remote DNS name.\n" "--mode m: Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n" "--proto p : Use protocol p for communicating with peer.\n" -" p = udp (default), tcp-server, or tcp-client\n" +" p = udp (default), tcp-server, tcp-client\n" +" udp4, tcp4-server, tcp4-client\n" +" udp6, tcp6-server, tcp6-client\n" "--proto-force p : only consider protocol p in list of connection profiles.\n" -" p = udp6, tcp6-server, or tcp6-client (ipv6)\n" +" p = udp or tcp\n" "--connect-retry n [m] : For client, number of seconds to wait between\n" " connection retries (default=%d). On repeated retries\n" " the wait time is exponentially increased to a maximum of m\n" @@ -2314,15 +2316,16 @@ options_postprocess_verify_ce(const struct options *options, } if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER)) { -msg(M_USAGE, "--mode server currently only supports " -"--proto udp or --proto tcp-server or proto tcp6-server"); +#define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \ +"--proto values of udp, tcp-server, tcp4-server, or tcp6-server" +msg(M_USAGE, USAGE_VALID_SERVER_PROTOS); The location of #define USAGE_VALID_SERVER_PROTOS is a bit odd. Because it is also used outside of the if() scope where it is defined. I would prefer if this would be defined higher up, maybe around line 2306, where the whole MODE_SERVER option parsing starts. This makes it clearer it is may be used more places. I've just looked briefly at these changes. And it looks reasonable. The ill-placed #define is the biggest issue for me in this patch. It would be good to get a second-opinion on the added notes though, that the man page info is correct. Otherwise this looks good. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 2/3] doc: fix misc documentation issues
nation. If an attacker knows or is able to control (parts of) the plain-text of packets that contain diff --git a/src/openvpn/options.c b/src/openvpn/options.c index ac13412a..c1ec7ed0 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -343,7 +343,7 @@ static const char usage_message[] = " and received from TCP/UDP (caps) or tun/tap (lc)\n" ": 6 to 11 -- debug messages of increasing verbosity\n" "--mute n: Log at most n consecutive messages in the same category.\n" -"--status file n : Write operational status to file every n seconds.\n" +"--status file [n] : Write operational status to file every n seconds.\n" This is also good! I've not commented all changes, just the generic ideas of changes here. There are lots of good things here, and most of it makes sense. I'd just be very careful moving the "Valid syntax" blocks around. If we just want security warnings in plain bold or wrapped in '*' is more a design/layout detail. I would suggest that we try to find better ways to highlight these security related aspects in a clear and visible way though. It doesn't mean it need to stay as it is today, though. The current approach was more or less a "this can work" approach. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/3] doc/Makefile: rebuild rst docs if input files change
On 09/12/2021 18:11, Frank Lichtenheld wrote: For now the dependencies are statically defined, which should be fine and is still a much better solution than to have no dependencies. Signed-off-by: Frank Lichtenheld --- doc/Makefile.am | 21 +++-- 1 file changed, 15 insertions(+), 6 deletions(-) Done code review and lightly tested it, where it does what it is intended to do. This change makes a lot of sense as well. Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] msvc: cleanup
On 08/02/2022 21:59, Frank Lichtenheld wrote: One thing I noticed while building: FOR /F %i IN ('where rst2html.py') DO python %i "c:\OpenVPN\openvpn\/doc/openvpn.8.rst" "c:\OpenVPN\openvpn\/doc/openvpn.8.html" This is clearly outdated code from before the rst split. But probably not something that needs to be addressed in this patch. The openvpn.8.rst includes all the other .rst files and builds a complete man page from there, so this isn't unexpected. It's part of the man-split design. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 2/2] crypto: move OpenSSL specific FIPS check to its backend
On 03/02/2022 20:36, Antonio Quartulli wrote: Our crypto API already provides a function performing a validity check on the specified ciphername. The OpenSSL counterpart also checks for the cipher being FIPS-enabled. This API is cipher_valid(). Extend it so that it can provide a reason whenever the cipher is not valid and use it in crypto.c. This way we move any OpenSSL specific bit to its own backend and directly use the new cipher_valid_reason() API in the generic code. This patch fixes compilations with mbedTLS when some OpenSSL is also installed. The issue was introduced with: 544330fe ("crypto: Fix OPENSSL_FIPS enabled builds") Cc: David Sommerseth Signed-off-by: Antonio Quartulli --- Changes from v1: * rebased * don't return cipher, but true in cipher_valid_reason() src/openvpn/crypto.c | 11 +++ src/openvpn/crypto_backend.h | 21 - src/openvpn/crypto_mbedtls.c | 13 + src/openvpn/crypto_openssl.c | 6 +- 4 files changed, 37 insertions(+), 14 deletions(-) I've done test builds on RHEL-8 with both openssl-1.1.1k and mbedtls-2.16.12-1 without any issues. Just done some lightweight testing on top of reviewing code. This looks good to me. Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 1/2] crypto: move validation logic from cipher_get to cipher_valid
On 03/02/2022 20:36, Antonio Quartulli wrote: With cipher validation performed in cipher_get(), a cipher is never returned in any case if some check fails. This prevents OpenVPN from operating on all ciphers provided by the SSL library, like printing them to the user. Move the validation logic to cipher_valid() so that checks are performed only when OpenVPN really want to know if a cipher is usable or not. Fixes: ce2954a0 ("Remove cipher_kt_t and change type to const char* in API") Cc: Arne Schwabe Cc: David Sommerseth Signed-off-by: Antonio Quartulli --- Changes from v1: * properly release cipher in case of error in cipher_valid(); src/openvpn/crypto_openssl.c | 34 +++--- 1 file changed, 15 insertions(+), 19 deletions(-) I've done compile testing and some lightweight testing as well as code review. These changes looks reasonable. Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/2] crypto: move validation logic from cipher_get to cipher_valid
On 26/01/2022 17:28, Antonio Quartulli wrote: With cipher validation performed in cipher_get(), a cipher is never returned in any case if some check fails. This prevents OpenVPN from operating on all ciphers provided by the SSL library, like printing them to the user. Move the validation logic to cipher_valid() so that checks are performed only when OpenVPN really want to know if a cipher is usable or not. Fixes: ce2954a0 ("Remove cipher_kt_t and change type to const char* in API") Cc: Arne Schwabe Signed-off-by: Antonio Quartulli --- NOTE: mbedtls already follows this approach and did not require any change. src/openvpn/crypto_openssl.c | 30 +++--- 1 file changed, 11 insertions(+), 19 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index a725306c..ea0147db 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -565,16 +565,19 @@ rand_bytes(uint8_t *output, int len) static evp_cipher_type * cipher_get(const char *ciphername) { -evp_cipher_type *cipher = NULL; - ASSERT(ciphername); ciphername = translate_cipher_name_from_openvpn(ciphername); -cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL); +return EVP_CIPHER_fetch(NULL, ciphername, NULL); +} -if (NULL == cipher) +bool cipher_valid(const char *ciphername) Nitpick - function return 'bool' should be on a line on its own. [...] @@ -585,7 +588,7 @@ cipher_get(const char *ciphername) { msg(D_LOW, "Cipher algorithm '%s' is known by OpenSSL library but " "currently disabled by running in FIPS mode.", ciphername); -return NULL; +return false; It's missing an EVP_CIPHER_free(cipher) here. } #endif if (EVP_CIPHER_key_length(cipher) > MAX_CIPHER_KEY_LENGTH) @@ -594,22 +597,11 @@ cipher_get(const char *ciphername) "which is larger than " PACKAGE_NAME "'s current maximum key size " "(%d bytes)", ciphername, EVP_CIPHER_key_length(cipher), MAX_CIPHER_KEY_LENGTH); -return NULL; +return false; Missing EVP_CIPHER_free(cipher) here as well. } -return cipher; -} - -bool cipher_valid(const char *ciphername) -{ -evp_cipher_type *cipher = cipher_get(ciphername); -bool valid = (cipher != NULL); -if (!valid) -{ -crypto_msg(D_LOW, "Cipher algorithm '%s' not found", ciphername); -} EVP_CIPHER_free(cipher); -return valid; +return true; Maybe it would be better to have a 'bool ret = true' defined in the beginning and have an 'exit' label above the EVP_CIPHER_free() and at those two failure locations just set ret = false and goto exit? -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [RFC v2 0/7] Introduce ovpn-dco(-win) support
On 01/02/2022 15:56, Antonio Quartulli wrote: * COPR repo (Fedora, CentOS, RHEL) ** for openvpn2: https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-dco/ ** for ovpn-dco: https://copr.fedorainfracloud.org/coprs/dsommers/openvpn3/ Just a few quick steps on how to test this on Fedora and RHEL (with clones). First, ensure you have the a functional 'yum copr' command. This is normally available by default on Fedora and RHEL-8 and up. Then run these commands: # yum copr enable dsommers/openvpn-dco # yum copr enable dsommers/openvpn3 # yum install kmod-ovpn-dco openvpn Then you can put your server configs into /etc/openvpn/server and client configs into /etc/openvpn/client. To start the OpenVPN server: # systemctl enable --now openvpn-server@CONFIG_NAME To start the OpenVPN client: # systemctl enable --now openvpn-client@CONFIG_NAME These steps will also start OpenVPN automatically upon boot. If you don't want that, just replace 'enable --now' with 'start'. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] update copyright year to 2022
On 25/01/2022 15:24, Antonio Quartulli wrote: Update performed by means of: dev-tools/update-copyright.sh Cc: David Sommerseth Signed-off-by: Antonio Quartulli --- COPYING | 2 +- ChangeLog | 2 +- Makefile.am | 4 ++-- PORTS | 2 +- build/Makefile.am | 2 +- build/msvc/Makefile.am | 2 +- build/msvc/msvc-generate/Makefile.am| 2 +- configure.ac| 2 +- dev-tools/gen-release-tarballs.sh | 2 +- dev-tools/reformat-all.sh | 2 +- dev-tools/update-copyright.sh | 4 ++-- distro/Makefile.am | 2 +- distro/systemd/Makefile.am | 2 +- doc/Makefile.am | 2 +- include/Makefile.am | 2 +- include/openvpn-msg.h | 2 +- include/openvpn-plugin.h.in | 2 +- sample/Makefile.am | 2 +- sample/sample-keys/gen-sample-keys.sh | 2 +- sample/sample-plugins/Makefile.am | 2 +- sample/sample-plugins/Makefile.plugins | 2 +- .../sample-plugins/client-connect/sample-client-connect.c | 2 +- sample/sample-plugins/defer/simple.c| 2 +- .../keying-material-exporter-demo/keyingmaterialexporter.c | 2 +- sample/sample-plugins/log/log.c | 2 +- sample/sample-plugins/log/log_v3.c | 4 ++-- sample/sample-plugins/simple/base64.c | 2 +- sample/sample-plugins/simple/simple.c | 2 +- src/Makefile.am | 2 +- src/compat/Makefile.am | 2 +- src/compat/compat-gettimeofday.c| 2 +- src/compat/compat-strsep.c | 2 +- src/openvpn/Makefile.am | 2 +- src/openvpn/argv.c | 2 +- src/openvpn/argv.h | 2 +- src/openvpn/auth_token.h| 2 +- src/openvpn/basic.h | 2 +- src/openvpn/block_dns.c | 2 +- src/openvpn/block_dns.h | 2 +- src/openvpn/buffer.c| 2 +- src/openvpn/buffer.h| 2 +- src/openvpn/circ_list.h | 2 +- src/openvpn/clinat.c| 2 +- src/openvpn/clinat.h| 2 +- src/openvpn/common.h| 2 +- src/openvpn/comp-lz4.c | 4 ++-- src/openvpn/comp-lz4.h | 4 ++-- src/openvpn/comp.c | 2 +- src/openvpn/comp.h | 2 +- src/openvpn/compstub.c | 2 +- src/openvpn/console.c | 4 ++-- src/openvpn/console.h | 4 ++-- src/openvpn/console_builtin.c | 4 ++-- src/openvpn/crypto.c| 2 +- src/openvpn/crypto.h| 2 +- src/openvpn/crypto_backend.h| 2 +- src/openvpn/crypto_mbedtls.c| 2 +- src/openvpn/crypto_mbedtls.h| 2 +- src/openvpn/crypto_openssl.c| 2 +- src/openvpn/crypto_openssl.h| 2 +- src/openvpn/dhcp.c | 2 +- src/openvpn/dhcp.h | 2 +- src/openvpn/env_set.c | 4 ++-- src/openvpn/env_set.h | 2 +- src/openvpn/errlevel.h | 2 +- src/openvpn/error.c | 2 +- src/openvpn/error.h | 2 +- src/openvpn/event.c | 2 +- src/openvpn/event.h | 2 +- src/openvpn/fdmisc.c
[Openvpn-devel] [PATCH] crypto: Fix mbedtls builds
From: David Sommerseth With commit 544330fefedc87, the openssl_compat.h got included in crypto.c. This caused issues when building against mbed TLS, which this compat layer is not targeting. This issue is resolved by only including this header when the OpenSSL library is in use. The OPENSSL_FIPS macro should never be set when compiling against the mbed TLS library. But we check against the main ENABLE_CRYPTO_OPENSSL macro here, in case future updates adds more OpenSSL specific fragments. Signed-off-by: David Sommerseth --- src/openvpn/crypto.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 5f6ad675..d55ca099 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -34,7 +34,9 @@ #include "error.h" #include "integer.h" #include "platform.h" +#ifdef ENABLE_CRYPTO_OPENSSL #include "openssl_compat.h" +#endif #include "memdbg.h" -- 2.27.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] crypto: Fix OPENSSL_FIPS enabled builds
On 19/01/2022 17:34, Selva Nair wrote: Hi, Sorry for chiming in late: On Wed, Jan 19, 2022 at 10:20 AM David Sommerseth <mailto:open...@sf.lists.topphemmelig.net>> wrote: From: David Sommerseth mailto:dav...@openvpn.net>> On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS module enabled by default. On these platforms, the OPENSSL_FIPS macro is always defined via /usr/include/openssl/opensslconf-*.h. Without this fix, the following compilation error appears: ./src/openvpn/crypto.c: In function ‘print_cipher’: ./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first use in this function); did you mean ‘iphdr’? if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) ^~ The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided via the openssl_compat.h for older than OpenSSL 3.0. Signed-off-by: David Sommerseth mailto:dav...@openvpn.net>> --- src/openvpn/crypto.c | 4 1 file changed, 4 insertions(+) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 5626e2b6..e489d453 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -34,6 +34,7 @@ #include "error.h" #include "integer.h" #include "platform.h" +#include "openssl_compat.h" #include "memdbg.h" @@ -1704,10 +1705,13 @@ print_cipher(const char *ciphername) printf(", TLS client/server mode only"); } #ifdef OPENSSL_FIPS + evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL); + if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) We need to check that cipher is not NULL. Fetch can return NULL while EVP_CIPHER_flags() requires a non-null argument. Something like: if (cipher && FIPS_mode && etc...) will do. EVP_CIPHER_free() below can handle NULL, so no problem there. Thanks! v3 is on its way. -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] crypto: Fix OPENSSL_FIPS enabled builds
From: David Sommerseth On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS module enabled by default. On these platforms, the OPENSSL_FIPS macro is always defined via /usr/include/openssl/opensslconf-*.h. Without this fix, the following compilation error appears: ./src/openvpn/crypto.c: In function ‘print_cipher’: ./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first use in this function); did you mean ‘iphdr’? if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) ^~ The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided via the openssl_compat.h for older than OpenSSL 3.0. Signed-off-by: David Sommerseth --- src/openvpn/crypto.c | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 5626e2b6..eb0b1254 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -34,6 +34,7 @@ #include "error.h" #include "integer.h" #include "platform.h" +#include "openssl_compat.h" #include "memdbg.h" @@ -1704,10 +1705,15 @@ print_cipher(const char *ciphername) printf(", TLS client/server mode only"); } #ifdef OPENSSL_FIPS -if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) +evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL); + +if (FIPS_mode() +&& (NULL != cipher) +&& !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) { printf(", disabled by FIPS mode"); } +EVP_CIPHER_free(cipher); #endif printf(")\n"); -- 2.27.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2] crypto: Fix OPENSSL_FIPS enabled builds
From: David Sommerseth On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS module enabled by default. On these platforms, the OPENSSL_FIPS macro is always defined via /usr/include/openssl/opensslconf-*.h. Without this fix, the following compilation error appears: ./src/openvpn/crypto.c: In function ‘print_cipher’: ./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first use in this function); did you mean ‘iphdr’? if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) ^~ The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided via the openssl_compat.h for older than OpenSSL 3.0. Signed-off-by: David Sommerseth --- src/openvpn/crypto.c | 4 1 file changed, 4 insertions(+) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 5626e2b6..e489d453 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -34,6 +34,7 @@ #include "error.h" #include "integer.h" #include "platform.h" +#include "openssl_compat.h" #include "memdbg.h" @@ -1704,10 +1705,13 @@ print_cipher(const char *ciphername) printf(", TLS client/server mode only"); } #ifdef OPENSSL_FIPS +evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL); + if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) { printf(", disabled by FIPS mode"); } +EVP_CIPHER_free(cipher); #endif printf(")\n"); -- 2.27.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] crypto: Fix OPENSSL_FIPS enabled builds
On 19/01/2022 14:44, Antonio Quartulli wrote: Hi David, On 19/01/2022 12:34, David Sommerseth wrote: From: David Sommerseth On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS module enabled by default. This revealed some incompatible code with the added DCO support. Signed-off-by: David Sommerseth --- src/openvpn/crypto.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 5626e2b6..0415f59d 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -34,6 +34,7 @@ #include "error.h" #include "integer.h" #include "platform.h" +#include "openssl_compat.h" #include "memdbg.h" @@ -1704,6 +1705,8 @@ print_cipher(const char *ciphername) printf(", TLS client/server mode only"); } #ifdef OPENSSL_FIPS + evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL); + from the commit message it is clear that there are incompatibilities, but I am unable to guess what the real problem is. Maybe you could extend your commit message or add a comment here? Will do! How is declaring a non-used variable going to help > Oh, now I see that cipher is used but was never declared/initialized. Still worth a word in the commit message? ;-) Yes! On top of that, anything returned by EVP_get_cipherbyname() must be free'd later, or it will result in a memory leak. Will fix! On top of that ²: should we add some FIPS build to our GH Actions (for another patch of course)? This exploded on stock Fedora 35 inside a mock build chroot, no FIPS enabling required. The devil in the detail is that the OPENSSL_FIPS macro is defined unconditionally in /usr/include/openssl/opensslconf-x86_64.h. So our OPENSSL_FIPS blocks are always built on Fedora and related downstream distros. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] crypto: Fix OPENSSL_FIPS enabled builds
From: David Sommerseth On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS module enabled by default. This revealed some incompatible code with the added DCO support. Signed-off-by: David Sommerseth --- src/openvpn/crypto.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 5626e2b6..0415f59d 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -34,6 +34,7 @@ #include "error.h" #include "integer.h" #include "platform.h" +#include "openssl_compat.h" #include "memdbg.h" @@ -1704,6 +1705,8 @@ print_cipher(const char *ciphername) printf(", TLS client/server mode only"); } #ifdef OPENSSL_FIPS +evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL); + if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) { printf(", disabled by FIPS mode"); -- 2.27.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] OpenVPN 3 Linux client - v17 beta released
compatible with the development stack on this distribution. Both the OpenVPN 3 Core library and the Linux client has been modified to be able to build successfully. * Distro: Python 3.6 or newer is now required As of this release, any Linux distribution with Python older than version 3.6 is no longer supported. This removes the support for Debian 9. Supported Linux distributions - - Debian 10 (amd64, arm64) - Debian 11 (amd64, arm64) - CentOS 7 (x86_64) - CentOS 8 (x86_64, aarch64) - Fedora 34, 35 and Rawhide (x86_64, aarch64, s390x) - Red Hat Enterprise Linux 7 (x86_64) - Red Hat Enterprise Linux 8 (x86_64, aarch64) - Ubuntu 18.04, 20.04 and 21.04 (amd64, arm64) - Ubuntu 21.10 (amd64, arm64) is available for testing The arm64 support on selected Debian and Ubuntu releases are currently considered a tech-preview. -- kind regards, David Sommerseth OpenVPN Inc Source tarballs --- * OpenVPN 3 Linux v17 beta <https://swupdate.openvpn.net/community/releases/openvpn3-linux-17_beta.tar.xz> <https://swupdate.openvpn.net/community/releases/openvpn3-linux-17_beta.tar.xz.asc> SHA256 Checksums -- 9eba02c67d3e5606ee8d02e0d60032009d3f97a0564d42c91ff154fb06b47e61 openvpn3-linux-17_beta.tar.xz b1a3928074eed09ebde6ad03b51551883abd357fa2dd5f61bdb07285bf5b50d1 openvpn3-linux-17_beta.tar.xz.asc git references git repositories: <https://gitlab.com/openvpn/openvpn3-linux> <https://github.com/OpenVPN/openvpn3-linux> git tag: v17_beta git commit: 079e9da7f66f5cca59cf80ba8c548f0dedd433db Changes from v16 to v17 ------- David Sommerseth (61): cli/session-start: Add --background support log: Improve LogEvent formatting log: Use the LogEvent GVariant generator in LogSender log: Extend the LogSender::Log() with duplicate check client: Simplify BackendSignals::Log() client: Remove some not needed log duplication client: Don't switch to Reconnecting state on initial connect python: Remove aenum workaround for Python 3.5 or older python: Remove spurious import line from openvpn2 python: Ignore --mute-replay-warnings option python: Add --insecure-certs option to openvpn3-as git: Switch to https for submodules python: Extend ConfigParser to understand --tls-crypt-v2 python: Fix a few errors in ConfigParser sessionmgr: Fix incorrect LogEvent proxy format core-ext: Properly parse options which may be used more times common: Extend MachineID to support systemd API for machine-id python: Fix incorrect parsing of filenames with spaces client: Add support for static-challenge configurations common: Extend command line parser with alias command support ovpn3cli: Depreacte config-show in favour of config-dump core: Update to latest OpenVPN 3 Core library build: Avoid GNUism in Makefile.am configmgr/client: Remove support for forcing AES-CBC cipher configmgr: Extend with session ownership transfer flag ovpn3cli: Extend config-acl to support --transfer-owner-session sessionmgr: Respect the configuration profile transfer-ownership flag client: Parse the --verb option to set log-level client: Add support for 'log-level' override sessionmgr: Retrieve the client log-level for the session log-level sessionmgr: Proxy log-level settings in session to backend tests: Extend config-export-json-test to process files too core-ext: Fix incorrect handling of --static-challenge in JSON export systemd: Fix incorrect access to mainloop object in status handler systemd: Fix incorrect sd_notify() behaviour systemd: Add support for profiles needing user credentials common/shell: Fix bash-completion for options with optional arguments common: Don't throw an exception in ParsedArgs::GetValueLen() ovn3cli/session: Extend session-manage to set session log-level core: Update to latest OpenVPN 3 Core library dbus: Change the proxy call timeout to 5 seconds log: Don't throw exception on invalid LogGroup/LogCategory client: Use the proper index value to retrieve the --verb value client: Change default log-level to 3 systemd: Do not change the log level at startup by default client: Extend StatusEvent with stringstream formatting control cli/session: Extend the session module with session-auth cli/session: Extend session-auth to also list URL based auth cli/session: Implement completing on-going auth in session-auth cli/session: Add shell-completion support for session-auth cli/session: Remove "Auth URL" from sessions-list
Re: [Openvpn-devel] [PATCH] README.down-root: Fix plugin module name
On 07/11/2021 19:38, Frank Lichtenheld wrote: From: Ville Skyttä The module name is openvpn-plugin-down-root.so, not openvpn-down-root.so. Signed-off-by: Frank Lichtenheld --- src/plugins/down-root/README.down-root | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) As part of an initative to clean up the Github PR submissions, submitting this patch to the mailing list for inclusion. Looks obviously correct to me. PR: https://github.com/OpenVPN/openvpn/pull/98 diff --git a/src/plugins/down-root/README.down-root b/src/plugins/down-root/README.down-root index d337ffe9..98a3ee63 100644 --- a/src/plugins/down-root/README.down-root +++ b/src/plugins/down-root/README.down-root @@ -16,13 +16,13 @@ run in the same execution environment as the up script. BUILD Build this module with the "make" command. The plugin -module will be named openvpn-down-root.so +module will be named openvpn-plugin-down-root.so USAGE To use this module, add to your OpenVPN config file: - plugin openvpn-down-root.so "command ..." + plugin openvpn-plugin-down-root.so "command ..." CAVEATS This change is correct. And even according to src/plugins/down-root/Makefile.am: plugin_LTLIBRARIES = openvpn-plugin-down-root.la Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix error in example firewall.sh script
On 07/11/2021 18:40, Frank Lichtenheld wrote: From: Adrian The man page says: [!] -s, --source address[/mask][,...] Signed-off-by: Frank Lichtenheld --- sample/sample-config-files/firewall.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) As part of an initative to clean up the Github PR submissions, submitting this patch to the mailing list for inclusion. Looks obviously correct to me. diff --git a/sample/sample-config-files/firewall.sh b/sample/sample-config-files/firewall.sh index 19d75ee9..456700ca 100755 --- a/sample/sample-config-files/firewall.sh +++ b/sample/sample-config-files/firewall.sh @@ -50,7 +50,7 @@ iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP # Check source address validity on packets going out to internet -iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP +iptables -A FORWARD ! -s $PRIVATE -i eth1 -j DROP # Allow local loopback iptables -A INPUT -s $LOOP -j ACCEPT This change makes sense to me. The syntax changed ages ago for iptables, where the negation needed to happen first. Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix error in example firewall.sh script
On 08/11/2021 13:23, Frank Lichtenheld wrote: Arne Schwabe hat am 08.11.2021 12:36 geschrieben: Am 07.11.21 um 18:40 schrieb Frank Lichtenheld: From: Adrian The man page says: [!] -s, --source address[/mask][,...] Signed-off-by: Frank Lichtenheld --- sample/sample-config-files/firewall.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) As part of an initative to clean up the Github PR submissions, submitting this patch to the mailing list for inclusion. Looks obviously correct to me. diff --git a/sample/sample-config-files/firewall.sh b/sample/sample-config-files/firewall.sh index 19d75ee9..456700ca 100755 --- a/sample/sample-config-files/firewall.sh +++ b/sample/sample-config-files/firewall.sh @@ -50,7 +50,7 @@ iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP # Check source address validity on packets going out to internet -iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP +iptables -A FORWARD ! -s $PRIVATE -i eth1 -j DROP # Allow local loopback iptables -A INPUT -s $LOOP -j ACCEPT I have a vague idea that this is actually different. Like one is that condition is not fulfilled and the other is that it is not part of the subnet if is different when there is different protocol but I might misremember. Certainly does not work with my iptables: # iptables -A OUTPUT -s ! 10.0.0.0/8 -j ACCEPT Bad argument `10.0.0.0/8' Try `iptables -h' or 'iptables --help' for more information. # iptables -A OUTPUT ! -s 10.0.0.0/8 -j ACCEPT # Regards, Frank I remember iptables announced it would redo the parsing logic for the command line interfaces ages ago, where the negation needed to happen before the "rule parameter" (-s in this case). It's probably closer to 8-10 years since this change, unless my memory is completely corrupted. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] resolvconf fails with -p
On 29/05/2021 03:35, sergio wrote: From: "Sergio E. Nemirowski" resolvconf -p resolvconf: Error: Command not recognized Signed-off-by: Sergio E. Nemirowski --- contrib/pull-resolv-conf/client.up | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/pull-resolv-conf/client.up b/contrib/pull-resolv-conf/client.up index f0769740..220aeb74 100644 --- a/contrib/pull-resolv-conf/client.up +++ b/contrib/pull-resolv-conf/client.up @@ -91,7 +91,7 @@ out="# resolv.conf autogenerated by ${0} (${dev})${nl}${dns}${ds}${domains}" # use resolvconf if it's available if type resolvconf >/dev/null 2>&1; then - printf "%s\n" "${out}" | resolvconf -p -a "${dev}" + printf "%s\n" "${out}" | resolvconf -a "${dev}" else # Preserve the existing resolv.conf if [ -e /etc/resolv.conf ] ; then I quickly checked resolveconf on Ubuntu {18,20,21}.04 and Debian 9-11. Neither of them supports the '-p' argument. I've checked Fedora 34, RHEL-{7,8} too, where I could not find any obvious alternative to the old version of resolvconf tool. On RHEL-8 and Fedora, systemd-resolved is available and provides a different resolveconf which targets to replace this old utility. This replacement neither support '-p'. This option got added in commit 3adf2f558e157ef508 back in 2010, but there's too little information why it was needed back then. But given that neither relevant Linux distributions supports this option today, it's reasonable to remove it now. Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel